Annotate

plugins/mod_saslauth.lua @ 10682:62ef68f95b6f 0.11

mod_mam,mod_muc_mam: Allow other work to be performed during archive cleanup (fixes #1504) This lets Prosody handle socket related work between each step in the cleanup in order to prevent the server from being completely blocked during this. An async storage backend would not need this but those are currently rare.
author Kim Alvefur <zash@zash.se>
date Wed, 11 Mar 2020 21:15:01 +0100
parent 8513:c6be9bbd0a1a
child 9738:f5aa6fdc935e
child 11212:1bfd238e05ad
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1523
841d61be198f Remove version number from copyright headers
Matthew Wild <mwild1@gmail.com>
parents: 1486
diff changeset
1 -- Prosody IM
2923
b7049746bd29 Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents: 2877
diff changeset
2 -- Copyright (C) 2008-2010 Matthew Wild
b7049746bd29 Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents: 2877
diff changeset
3 -- Copyright (C) 2008-2010 Waqas Hussain
5776
bd0ff8ae98a8 Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 5535
diff changeset
4 --
758
b1885732e979 GPL->MIT!
Matthew Wild <mwild1@gmail.com>
parents: 724
diff changeset
5 -- This project is MIT/X11 licensed. Please see the
b1885732e979 GPL->MIT!
Matthew Wild <mwild1@gmail.com>
parents: 724
diff changeset
6 -- COPYING file in the source package for more information.
519
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 449
diff changeset
7 --
7899
2b3d0ab67f7d mod_saslauth: Ignore shadowing of logger [luacheck]
Kim Alvefur <zash@zash.se>
parents: 7897
diff changeset
8 -- luacheck: ignore 431/log
519
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 449
diff changeset
9
38
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
10
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
11 local st = require "util.stanza";
46
d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents: 38
diff changeset
12 local sm_bind_resource = require "core.sessionmanager".bind_resource;
1042
a3d77353c18a mod_*: Fix a load of global accesses
Matthew Wild <mwild1@gmail.com>
parents: 938
diff changeset
13 local sm_make_authenticated = require "core.sessionmanager".make_authenticated;
447
c0dae734d3bf Stopped using the lbase64 library
Waqas Hussain <waqas20@gmail.com>
parents: 438
diff changeset
14 local base64 = require "util.encodings".base64;
38
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
15
3188
c690e3c5105c mod_saslauth: Updated to use usermanager.get_sasl_handler.
Waqas Hussain <waqas20@gmail.com>
parents: 3178
diff changeset
16 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler;
38
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
17 local tostring = tostring;
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
18
6488
c91193b7e72c mod_saslauth: Use type-specific config option getters
Kim Alvefur <zash@zash.se>
parents: 6487
diff changeset
19 local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", false));
c91193b7e72c mod_saslauth: Use type-specific config option getters
Kim Alvefur <zash@zash.se>
parents: 6487
diff changeset
20 local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false)
6493
4e51b5e81bdd mod_saslauth: Better name for config option
Kim Alvefur <zash@zash.se>
parents: 6492
diff changeset
21 local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"});
7298
7056bbaf81ee mod_saslauth: Disable DIGEST-MD5 by default (closes #515)
Kim Alvefur <zash@zash.se>
parents: 6519
diff changeset
22 local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" });
3066
5e5137057b5f mod_saslauth: Split out cyrus SASL config options into locals, and add support for cyrus_application_name (default: 'prosody')
Matthew Wild <mwild1@gmail.com>
parents: 3064
diff changeset
23
1071
216f9a9001f1 mod_saslauth: Use module logger instead of creating a new one
Matthew Wild <mwild1@gmail.com>
parents: 1042
diff changeset
24 local log = module._log;
38
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
25
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
26 local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl';
46
d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents: 38
diff changeset
27 local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind';
38
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
28
292
33175ad2f682 Started using realm in password hashing, and added support for error message replies from sasl
Waqas Hussain <waqas20@gmail.com>
parents: 291
diff changeset
29 local function build_reply(status, ret, err_msg)
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
30 local reply = st.stanza(status, {xmlns = xmlns_sasl});
6427
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents: 6425
diff changeset
31 if status == "failure" then
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
32 reply:tag(ret):up();
293
b446de4e258e base64 encode the sasl responses
Waqas Hussain <waqas20@gmail.com>
parents: 292
diff changeset
33 if err_msg then reply:tag("text"):text(err_msg); end
6427
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents: 6425
diff changeset
34 elseif status == "challenge" or status == "success" then
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents: 6425
diff changeset
35 if ret == "" then
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents: 6425
diff changeset
36 reply:text("=")
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents: 6425
diff changeset
37 elseif ret then
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents: 6425
diff changeset
38 reply:text(base64.encode(ret));
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents: 6425
diff changeset
39 end
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
40 else
1073
7c20373d4451 mod_saslauth: Remove 2 instances of raising errors and replacing with more graceful handling
Matthew Wild <mwild1@gmail.com>
parents: 1072
diff changeset
41 module:log("error", "Unknown sasl status: %s", status);
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
42 end
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
43 return reply;
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
44 end
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
45
3062
892c49869293 mod_saslauth: Add return value and error message to the Cyrus SASL handle_status callback
Matthew Wild <mwild1@gmail.com>
parents: 3061
diff changeset
46 local function handle_status(session, status, ret, err_msg)
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
47 if status == "failure" then
4361
605045b77bc6 mod_saslauth: Fire authentication-success and authentication-failure events (thanks scitor)
Matthew Wild <mwild1@gmail.com>
parents: 4078
diff changeset
48 module:fire_event("authentication-failure", { session = session, condition = ret, text = err_msg });
2251
18079ede5b62 mod_saslauth: Fix typo in variable name
Matthew Wild <mwild1@gmail.com>
parents: 2242
diff changeset
49 session.sasl_handler = session.sasl_handler:clean_clone();
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
50 elseif status == "success" then
3468
d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents: 3464
diff changeset
51 local ok, err = sm_make_authenticated(session, session.sasl_handler.username);
d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents: 3464
diff changeset
52 if ok then
4504
55b61221ecb8 mod_saslauth: Move authentication-success event to after session has been made authenticated.
Kim Alvefur <zash@zash.se>
parents: 4492
diff changeset
53 module:fire_event("authentication-success", { session = session });
3468
d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents: 3464
diff changeset
54 session.sasl_handler = nil;
d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents: 3464
diff changeset
55 session:reset_stream();
3064
596303990c7c usermanager, mod_saslauth: Make account provisioning for Cyrus SASL optional (default: not required)
Matthew Wild <mwild1@gmail.com>
parents: 3062
diff changeset
56 else
3468
d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents: 3464
diff changeset
57 module:log("warn", "SASL succeeded but username was invalid");
4505
b1e10c327d66 mod_saslauth: Fire authentication-failure if make_authenticated() failed.
Kim Alvefur <zash@zash.se>
parents: 4504
diff changeset
58 module:fire_event("authentication-failure", { session = session, condition = "not-authorized", text = err });
3064
596303990c7c usermanager, mod_saslauth: Make account provisioning for Cyrus SASL optional (default: not required)
Matthew Wild <mwild1@gmail.com>
parents: 3062
diff changeset
59 session.sasl_handler = session.sasl_handler:clean_clone();
3468
d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents: 3464
diff changeset
60 return "failure", "not-authorized", "User authenticated successfully, but username was invalid";
3064
596303990c7c usermanager, mod_saslauth: Make account provisioning for Cyrus SASL optional (default: not required)
Matthew Wild <mwild1@gmail.com>
parents: 3062
diff changeset
61 end
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
62 end
3062
892c49869293 mod_saslauth: Add return value and error message to the Cyrus SASL handle_status callback
Matthew Wild <mwild1@gmail.com>
parents: 3061
diff changeset
63 return status, ret, err_msg;
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
64 end
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
65
3551
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
66 local function sasl_process_cdata(session, stanza)
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
67 local text = stanza[1];
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
68 if text then
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
69 text = base64.decode(text);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
70 --log("debug", "AUTH: %s", text:gsub("[%z\001-\008\011\012\014-\031]", " "));
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
71 if not text then
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
72 session.sasl_handler = nil;
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
73 session.send(build_reply("failure", "incorrect-encoding"));
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
74 return true;
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
75 end
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
76 end
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
77 local status, ret, err_msg = session.sasl_handler:process(text);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
78 status, ret, err_msg = handle_status(session, status, ret, err_msg);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
79 local s = build_reply(status, ret, err_msg);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
80 log("debug", "sasl reply: %s", tostring(s));
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
81 session.send(s);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
82 return true;
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
83 end
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
84
8042
5d5afaafac0f mod_saslauth: Remove unused argument [luacheck]
Kim Alvefur <zash@zash.se>
parents: 7962
diff changeset
85 module:hook_tag(xmlns_sasl, "success", function (session)
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
86 if session.type ~= "s2sout_unauthed" or session.external_auth ~= "attempting" then return; end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
87 module:log("debug", "SASL EXTERNAL with %s succeeded", session.to_host);
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
88 session.external_auth = "succeeded"
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
89 session:reset_stream();
5535
0df0afc041d7 mod_saslauth, mod_compression: Fix some cases where open_stream() was not being passed to/from (see df3c78221f26 and issue #338)
Matthew Wild <mwild1@gmail.com>
parents: 5362
diff changeset
90 session:open_stream(session.from_host, session.to_host);
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
91
5362
612467e263af s2smanager, mod_s2s, mod_dialback, mod_saslauth: Move s2smanager.make_authenticated() to mod_s2s, and plugins now signal authentication via the s2s-authenticated event
Matthew Wild <mwild1@gmail.com>
parents: 5351
diff changeset
92 module:fire_event("s2s-authenticated", { session = session, host = session.to_host });
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
93 return true;
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
94 end)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
95
7960
9a938b785bc5 mod_saslauth: Switch to hook_tag from hook_stanza which was renamed in 2087d42f1e77
Kim Alvefur <zash@zash.se>
parents: 7940
diff changeset
96 module:hook_tag(xmlns_sasl, "failure", function (session, stanza)
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
97 if session.type ~= "s2sout_unauthed" or session.external_auth ~= "attempting" then return; end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
98
7939
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
99 local text = stanza:get_child_text("text");
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
100 local condition = "unknown-condition";
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
101 for child in stanza:childtags() do
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
102 if child.name ~= "text" then
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
103 condition = child.name;
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
104 break;
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
105 end
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
106 end
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
107 if text and condition then
8222
67a9d2de2300 mod_saslauth: Use correct varible name (thanks Roi)
Kim Alvefur <zash@zash.se>
parents: 7939
diff changeset
108 condition = condition .. ": " .. text;
7939
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
109 end
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
110 module:log("info", "SASL EXTERNAL with %s failed: %s", session.to_host, condition);
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
111
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
112 session.external_auth = "failed"
8511
dd7b8888636e mod_saslauth: Pass SASL EXTERNAL failure reason on to be used in error bounces
Kim Alvefur <zash@zash.se>
parents: 8510
diff changeset
113 session.external_auth_failure_reason = condition;
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
114 end, 500)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
115
8513
c6be9bbd0a1a mod_saslauth: Ignore unused argument [luacheck]
Kim Alvefur <zash@zash.se>
parents: 8512
diff changeset
116 module:hook_tag(xmlns_sasl, "failure", function (session, stanza) -- luacheck: ignore 212/stanza
8510
149e98f88680 mod_saslauth: Close connection if no fallback kicks in on SASL EXTERNAL failure
Kim Alvefur <zash@zash.se>
parents: 8509
diff changeset
117 session.log("debug", "No fallback from SASL EXTERNAL failure, giving up");
8511
dd7b8888636e mod_saslauth: Pass SASL EXTERNAL failure reason on to be used in error bounces
Kim Alvefur <zash@zash.se>
parents: 8510
diff changeset
118 session:close(nil, session.external_auth_failure_reason);
8510
149e98f88680 mod_saslauth: Close connection if no fallback kicks in on SASL EXTERNAL failure
Kim Alvefur <zash@zash.se>
parents: 8509
diff changeset
119 return true;
8509
e1d274001855 Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly been resolved and this change causes more problems than it solves (fixes #1006)
Kim Alvefur <zash@zash.se>
parents: 8479
diff changeset
120 end, 90)
e1d274001855 Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly been resolved and this change causes more problems than it solves (fixes #1006)
Kim Alvefur <zash@zash.se>
parents: 8479
diff changeset
121
7960
9a938b785bc5 mod_saslauth: Switch to hook_tag from hook_stanza which was renamed in 2087d42f1e77
Kim Alvefur <zash@zash.se>
parents: 7940
diff changeset
122 module:hook_tag("http://etherx.jabber.org/streams", "features", function (session, stanza)
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
123 if session.type ~= "s2sout_unauthed" or not session.secure then return; end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
124
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
125 local mechanisms = stanza:get_child("mechanisms", xmlns_sasl)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
126 if mechanisms then
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
127 for mech in mechanisms:childtags() do
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
128 if mech[1] == "EXTERNAL" then
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
129 module:log("debug", "Initiating SASL EXTERNAL with %s", session.to_host);
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
130 local reply = st.stanza("auth", {xmlns = xmlns_sasl, mechanism = "EXTERNAL"});
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
131 reply:text(base64.encode(session.from_host))
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
132 session.sends2s(reply)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
133 session.external_auth = "attempting"
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
134 return true
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
135 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
136 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
137 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
138 end, 150);
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
139
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
140 local function s2s_external_auth(session, stanza)
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
141 if session.external_auth ~= "offered" then return end -- Unexpected request
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
142
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
143 local mechanism = stanza.attr.mechanism;
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
144
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
145 if mechanism ~= "EXTERNAL" then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
146 session.sends2s(build_reply("failure", "invalid-mechanism"));
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
147 return true;
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
148 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
149
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
150 if not session.secure then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
151 session.sends2s(build_reply("failure", "encryption-required"));
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
152 return true;
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
153 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
154
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
155 local text = stanza[1];
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
156 if not text then
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
157 session.sends2s(build_reply("failure", "malformed-request"));
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
158 return true;
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
159 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
160
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
161 text = base64.decode(text);
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
162 if not text then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
163 session.sends2s(build_reply("failure", "incorrect-encoding"));
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
164 return true;
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
165 end
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
166
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
167 -- The text value is either "" or equals session.from_host
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
168 if not ( text == "" or text == session.from_host ) then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
169 session.sends2s(build_reply("failure", "invalid-authzid"));
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
170 return true;
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
171 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
172
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
173 -- We've already verified the external cert identity before offering EXTERNAL
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
174 if session.cert_chain_status ~= "valid" or session.cert_identity_status ~= "valid" then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
175 session.sends2s(build_reply("failure", "not-authorized"));
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
176 session:close();
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
177 return true;
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
178 end
4492
0a4781f165e3 mod_saslauth: "" ~= nil (thanks, Zash!)
Paul Aurich <paul@darkrain42.org>
parents: 4395
diff changeset
179
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
180 -- Success!
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
181 session.external_auth = "succeeded";
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
182 session.sends2s(build_reply("success"));
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
183 module:log("info", "Accepting SASL EXTERNAL identity from %s", session.from_host);
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
184 module:fire_event("s2s-authenticated", { session = session, host = session.from_host });
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
185 session:reset_stream();
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
186 return true;
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
187 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
188
3552
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
189 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function(event)
3535
b953b0c0f203 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3524
diff changeset
190 local session, stanza = event.origin, event.stanza;
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
191 if session.type == "s2sin_unauthed" then
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
192 return s2s_external_auth(session, stanza)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
193 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
194
6033
0d6f23049e95 mod_saslauth: Only do c2s SASL on normal VirtualHosts
Kim Alvefur <zash@zash.se>
parents: 5535
diff changeset
195 if session.type ~= "c2s_unauthed" or module:get_host_type() ~= "local" then return; end
3535
b953b0c0f203 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3524
diff changeset
196
3553
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents: 3552
diff changeset
197 if session.sasl_handler and session.sasl_handler.selected then
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents: 3552
diff changeset
198 session.sasl_handler = nil; -- allow starting a new SASL negotiation before completing an old one
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents: 3552
diff changeset
199 end
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents: 3552
diff changeset
200 if not session.sasl_handler then
4939
0545a574667b mod_saslauth: Pass session to usermanager.get_sasl_handler()
Matthew Wild <mwild1@gmail.com>
parents: 4754
diff changeset
201 session.sasl_handler = usermanager_get_sasl_handler(module.host, session);
3553
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents: 3552
diff changeset
202 end
3552
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
203 local mechanism = stanza.attr.mechanism;
6490
8ad74f48b2aa mod_saslauth: Use a configurable set of mechanisms to not allow over unencrypted connections
Kim Alvefur <zash@zash.se>
parents: 6489
diff changeset
204 if not session.secure and (secure_auth_only or insecure_mechanisms:contains(mechanism)) then
3552
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
205 session.send(build_reply("failure", "encryption-required"));
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
206 return true;
6492
0d07fdc07d8c mod_saslauth: Make it possible to disable certain mechanisms
Kim Alvefur <zash@zash.se>
parents: 6491
diff changeset
207 elseif disabled_mechanisms:contains(mechanism) then
0d07fdc07d8c mod_saslauth: Make it possible to disable certain mechanisms
Kim Alvefur <zash@zash.se>
parents: 6491
diff changeset
208 session.send(build_reply("failure", "invalid-mechanism"));
0d07fdc07d8c mod_saslauth: Make it possible to disable certain mechanisms
Kim Alvefur <zash@zash.se>
parents: 6491
diff changeset
209 return true;
3552
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
210 end
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
211 local valid_mechanism = session.sasl_handler:select(mechanism);
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
212 if not valid_mechanism then
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
213 session.send(build_reply("failure", "invalid-mechanism"));
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
214 return true;
295
bb078eb1f1de mod_saslauth: Code cleanup
Waqas Hussain <waqas20@gmail.com>
parents: 293
diff changeset
215 end
3551
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
216 return sasl_process_cdata(session, stanza);
3552
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
217 end);
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
218 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:response", function(event)
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
219 local session = event.origin;
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
220 if not(session.sasl_handler and session.sasl_handler.selected) then
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
221 session.send(build_reply("failure", "not-authorized", "Out of order SASL element"));
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
222 return true;
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
223 end
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
224 return sasl_process_cdata(session, event.stanza);
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
225 end);
3548
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents: 3535
diff changeset
226 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:abort", function(event)
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents: 3535
diff changeset
227 local session = event.origin;
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents: 3535
diff changeset
228 session.sasl_handler = nil;
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents: 3535
diff changeset
229 session.send(build_reply("failure", "aborted"));
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents: 3535
diff changeset
230 return true;
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents: 3535
diff changeset
231 end);
284
4f540755260c mod_saslauth: Added base64 decoding, encoding check, and cleaned the code up.
Waqas Hussain <waqas20@gmail.com>
parents: 281
diff changeset
232
6518
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents: 6517
diff changeset
233 local function tls_unique(self)
6519
367db22cf7d2 mod_saslauth: Make it easier to support multiple channel binding methonds
Kim Alvefur <zash@zash.se>
parents: 6518
diff changeset
234 return self.userdata["tls-unique"]:getpeerfinished();
6518
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents: 6517
diff changeset
235 end
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents: 6517
diff changeset
236
357
17bcecb06420 Use a stanza for c2s stream features instead of an array of strings. Removes a FIXME.
Matthew Wild <mwild1@gmail.com>
parents: 313
diff changeset
237 local mechanisms_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-sasl' };
17bcecb06420 Use a stanza for c2s stream features instead of an array of strings. Removes a FIXME.
Matthew Wild <mwild1@gmail.com>
parents: 313
diff changeset
238 local bind_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-bind' };
17bcecb06420 Use a stanza for c2s stream features instead of an array of strings. Removes a FIXME.
Matthew Wild <mwild1@gmail.com>
parents: 313
diff changeset
239 local xmpp_session_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-session' };
2612
475552b04151 mod_saslauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 2451
diff changeset
240 module:hook("stream-features", function(event)
475552b04151 mod_saslauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 2451
diff changeset
241 local origin, features = event.origin, event.features;
7896
1a2674123c1c mod_saslauth: Cache logger in local for less typing
Kim Alvefur <zash@zash.se>
parents: 7784
diff changeset
242 local log = origin.log or log;
2612
475552b04151 mod_saslauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 2451
diff changeset
243 if not origin.username then
475552b04151 mod_saslauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 2451
diff changeset
244 if secure_auth_only and not origin.secure then
7897
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents: 7896
diff changeset
245 log("debug", "Not offering authentication on insecure connection");
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
246 return;
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
247 end
6517
e733e98a348a mod_saslauth: Keep sasl_handler in a local variable
Kim Alvefur <zash@zash.se>
parents: 6493
diff changeset
248 local sasl_handler = usermanager_get_sasl_handler(module.host, origin)
e733e98a348a mod_saslauth: Keep sasl_handler in a local variable
Kim Alvefur <zash@zash.se>
parents: 6493
diff changeset
249 origin.sasl_handler = sasl_handler;
5860
87e2fafba5df mod_saslauth: Collect data for channel binding only if we know for sure that the stream is encrypted
Kim Alvefur <zash@zash.se>
parents: 5843
diff changeset
250 if origin.encrypted then
5838
a2659baf8332 mod_saslauth: Check whether LuaSec supports getpeerfinished() binding.
Tobias Markmann <tm@ayena.de>
parents: 5834
diff changeset
251 -- check wether LuaSec has the nifty binding to the function needed for tls-unique
a2659baf8332 mod_saslauth: Check whether LuaSec supports getpeerfinished() binding.
Tobias Markmann <tm@ayena.de>
parents: 5834
diff changeset
252 -- FIXME: would be nice to have this check only once and not for every socket
6518
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents: 6517
diff changeset
253 if sasl_handler.add_cb_handler then
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents: 6517
diff changeset
254 local socket = origin.conn:socket();
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents: 6517
diff changeset
255 if socket.getpeerfinished then
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents: 6517
diff changeset
256 sasl_handler:add_cb_handler("tls-unique", tls_unique);
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents: 6517
diff changeset
257 end
6519
367db22cf7d2 mod_saslauth: Make it easier to support multiple channel binding methonds
Kim Alvefur <zash@zash.se>
parents: 6518
diff changeset
258 sasl_handler["userdata"] = {
367db22cf7d2 mod_saslauth: Make it easier to support multiple channel binding methonds
Kim Alvefur <zash@zash.se>
parents: 6518
diff changeset
259 ["tls-unique"] = socket;
367db22cf7d2 mod_saslauth: Make it easier to support multiple channel binding methonds
Kim Alvefur <zash@zash.se>
parents: 6518
diff changeset
260 };
5838
a2659baf8332 mod_saslauth: Check whether LuaSec supports getpeerfinished() binding.
Tobias Markmann <tm@ayena.de>
parents: 5834
diff changeset
261 end
5832
7d100d917243 mod_saslauth: Set secure socket as SASL object user data for secure sessions.
Tobias Markmann <tm@ayena.de>
parents: 3983
diff changeset
262 end
4395
d322c4553f97 mod_saslauth: Never send empty <mechanisms/>, for real this time.
Waqas Hussain <waqas20@gmail.com>
parents: 4392
diff changeset
263 local mechanisms = st.stanza("mechanisms", mechanisms_attr);
7897
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents: 7896
diff changeset
264 local sasl_mechanisms = sasl_handler:mechanisms()
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents: 7896
diff changeset
265 for mechanism in pairs(sasl_mechanisms) do
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents: 7896
diff changeset
266 if disabled_mechanisms:contains(mechanism) then
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents: 7896
diff changeset
267 log("debug", "Not offering disabled mechanism %s", mechanism);
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents: 7896
diff changeset
268 elseif not origin.secure and insecure_mechanisms:contains(mechanism) then
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents: 7896
diff changeset
269 log("debug", "Not offering mechanism %s on insecure connection", mechanism);
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents: 7896
diff changeset
270 else
8479
867679b0fb03 mod_saslauth: Log which mechanisms are offered
Kim Alvefur <zash@zash.se>
parents: 8234
diff changeset
271 log("debug", "Offering mechanism %s", mechanism);
4395
d322c4553f97 mod_saslauth: Never send empty <mechanisms/>, for real this time.
Waqas Hussain <waqas20@gmail.com>
parents: 4392
diff changeset
272 mechanisms:tag("mechanism"):text(mechanism):up();
3417
53e854b52110 mod_saslauth: Check for unencrypted PLAIN auth in mod_saslauth instead of the SASL handler (makes it work for Cyrus SASL).
Waqas Hussain <waqas20@gmail.com>
parents: 3416
diff changeset
273 end
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
274 end
6489
1f07c72112d2 mod_saslauth: Log warning if no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 6488
diff changeset
275 if mechanisms[1] then
1f07c72112d2 mod_saslauth: Log warning if no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 6488
diff changeset
276 features:add_child(mechanisms);
7897
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents: 7896
diff changeset
277 elseif not next(sasl_mechanisms) then
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents: 7896
diff changeset
278 log("warn", "No available SASL mechanisms, verify that the configured authentication module is working");
6489
1f07c72112d2 mod_saslauth: Log warning if no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 6488
diff changeset
279 else
7897
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents: 7896
diff changeset
280 log("warn", "All available authentication mechanisms are either disabled or not suitable for an insecure connection");
6489
1f07c72112d2 mod_saslauth: Log warning if no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 6488
diff changeset
281 end
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
282 else
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
283 features:tag("bind", bind_attr):tag("required"):up():up();
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
284 features:tag("session", xmpp_session_attr):tag("optional"):up():up();
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
285 end
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
286 end);
1584
ffe8a9296e04 mod_saslauth, usermanager: Fetch list of mechanisms from usermanager
Nick Thomas
parents: 1523
diff changeset
287
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
288 module:hook("s2s-stream-features", function(event)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
289 local origin, features = event.origin, event.features;
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
290 if origin.secure and origin.type == "s2sin_unauthed" then
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
291 -- Offer EXTERNAL only if both chain and identity is valid.
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
292 if origin.cert_chain_status == "valid" and origin.cert_identity_status == "valid" then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
293 module:log("debug", "Offering SASL EXTERNAL");
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
294 origin.external_auth = "offered"
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
295 features:tag("mechanisms", { xmlns = xmlns_sasl })
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
296 :tag("mechanism"):text("EXTERNAL")
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
297 :up():up();
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
298 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
299 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
300 end);
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
301
7784
9f70d35a1602 core.sessionmanager, mod_saslauth: Introduce intermediate session type for authenticated but unbound sessions so that resource binding is not treated as a normal stanza
Kim Alvefur <zash@zash.se>
parents: 7298
diff changeset
302 module:hook("stanza/iq/urn:ietf:params:xml:ns:xmpp-bind:bind", function(event)
3523
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
303 local origin, stanza = event.origin, event.stanza;
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
304 local resource;
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
305 if stanza.attr.type == "set" then
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
306 local bind = stanza.tags[1];
6302
76699a0ae4c4 mod_lastactivity, mod_legacyauth, mod_presence, mod_saslauth, mod_tls: Use the newer stanza:get_child APIs and optimize away some table lookups
Kim Alvefur <zash@zash.se>
parents: 6038
diff changeset
307 resource = bind:get_child("resource");
3523
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
308 resource = resource and #resource.tags == 0 and resource[1] or nil;
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
309 end
3523
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
310 local success, err_type, err, err_msg = sm_bind_resource(origin, resource);
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
311 if success then
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
312 origin.send(st.reply(stanza)
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
313 :tag("bind", { xmlns = xmlns_bind })
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
314 :tag("jid"):text(origin.full_jid));
3524
d206b4e0a9f3 mod_saslauth: Improved logging a bit.
Waqas Hussain <waqas20@gmail.com>
parents: 3523
diff changeset
315 origin.log("debug", "Resource bound: %s", origin.full_jid);
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
316 else
3523
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
317 origin.send(st.error_reply(stanza, err_type, err, err_msg));
3524
d206b4e0a9f3 mod_saslauth: Improved logging a bit.
Waqas Hussain <waqas20@gmail.com>
parents: 3523
diff changeset
318 origin.log("debug", "Resource bind failed: %s", err_msg or err);
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
319 end
3523
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
320 return true;
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
321 end);
1584
ffe8a9296e04 mod_saslauth, usermanager: Fetch list of mechanisms from usermanager
Nick Thomas
parents: 1523
diff changeset
322
4029
fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login
Matthew Wild <mwild1@gmail.com>
parents: 3553
diff changeset
323 local function handle_legacy_session(event)
3523
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
324 event.origin.send(st.reply(event.stanza));
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
325 return true;
4029
fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login
Matthew Wild <mwild1@gmail.com>
parents: 3553
diff changeset
326 end
fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login
Matthew Wild <mwild1@gmail.com>
parents: 3553
diff changeset
327
fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login
Matthew Wild <mwild1@gmail.com>
parents: 3553
diff changeset
328 module:hook("iq/self/urn:ietf:params:xml:ns:xmpp-session:session", handle_legacy_session);
fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login
Matthew Wild <mwild1@gmail.com>
parents: 3553
diff changeset
329 module:hook("iq/host/urn:ietf:params:xml:ns:xmpp-session:session", handle_legacy_session);