Software / code / prosody
Annotate
plugins/mod_auth_internal_hashed.lua @ 12746:7eabf8d78978
util.roles: Return nil if the role has no explicit policy (fixes inheritance)
Previously, if the first inherited role had no opinion, it returned false and
prevented further consultation of other inherited roles.
This bug was found thanks to the implementation of missing test cases
identified through mutation testing.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Fri, 07 Oct 2022 16:58:08 +0100 |
| parent | 12669:aed38948791f |
| child | 12900:5484debdfdfe |
| rev | line source |
|---|---|
|
3164
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
1 -- Prosody IM |
|
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
2 -- Copyright (C) 2008-2010 Matthew Wild |
|
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
3 -- Copyright (C) 2008-2010 Waqas Hussain |
|
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
4 -- Copyright (C) 2010 Jeff Mitchell |
|
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
5 -- |
|
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
6 -- This project is MIT/X11 licensed. Please see the |
|
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
7 -- COPYING file in the source package for more information. |
|
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
8 -- |
|
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
9 |
|
6019
e9147a16059d
mod_auth_interal_hashed: Update salt and iteration count when setting a new password
Florian Zeitz <florob@babelmonkeys.de>
parents:
5784
diff
changeset
|
10 local max = math.max; |
|
e9147a16059d
mod_auth_interal_hashed: Update salt and iteration count when setting a new password
Florian Zeitz <florob@babelmonkeys.de>
parents:
5784
diff
changeset
|
11 |
|
10218
e458578ddfd3
mod_auth_internal_hashed: Add support for optionally using SCRAM-SHA-256 instead of SHA-1
Kim Alvefur <zash@zash.se>
parents:
8192
diff
changeset
|
12 local scram_hashers = require "util.sasl.scram".hashers; |
|
3164
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
13 local usermanager = require "core.usermanager"; |
|
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
14 local generate_uuid = require "util.uuid".generate; |
|
3186
b5f261123013
mod_auth_internal, mod_auth_internal_hashed: Updated to provide get_sasl_handler.
Waqas Hussain <waqas20@gmail.com>
parents:
3180
diff
changeset
|
15 local new_sasl = require "util.sasl".new; |
|
6707
06cdd4afaaf9
mod_auth_internal_hashed: Use util.hex
Kim Alvefur <zash@zash.se>
parents:
6019
diff
changeset
|
16 local hex = require"util.hex"; |
|
12355
a0ff5c438e9d
util.hex: Deprecate to/from in favour of encode/decode, for consistency!
Matthew Wild <mwild1@gmail.com>
parents:
12128
diff
changeset
|
17 local to_hex, from_hex = hex.encode, hex.decode; |
|
10914
0d7d71dee0a0
mod_auth_internal_*: Apply saslprep to passwords
Kim Alvefur <zash@zash.se>
parents:
10522
diff
changeset
|
18 local saslprep = require "util.encodings".stringprep.saslprep; |
|
11544
c98aebe601f9
mod_auth_internal_{plain,hashed}: Use constant-time string comparison for secrets
Matthew Wild <mwild1@gmail.com>
parents:
10914
diff
changeset
|
19 local secure_equals = require "util.hashes".equals; |
|
3164
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
20 |
|
5783
3a81e3b0ea4f
mod_auth_internal_hashed: Use logger setup by moduleapi instead of going for util.logger directly
Kim Alvefur <zash@zash.se>
parents:
5782
diff
changeset
|
21 local log = module._log; |
|
5784
02217725454b
mod_auth_internal_hashed: Log calls to provider methods and be consistent with mod_auth_internal_plain
Kim Alvefur <zash@zash.se>
parents:
5783
diff
changeset
|
22 local host = module.host; |
|
5783
3a81e3b0ea4f
mod_auth_internal_hashed: Use logger setup by moduleapi instead of going for util.logger directly
Kim Alvefur <zash@zash.se>
parents:
5782
diff
changeset
|
23 |
|
5500
eeea0eb2602a
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store()
Kim Alvefur <zash@zash.se>
parents:
5302
diff
changeset
|
24 local accounts = module:open_store("accounts"); |
|
eeea0eb2602a
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store()
Kim Alvefur <zash@zash.se>
parents:
5302
diff
changeset
|
25 |
|
10218
e458578ddfd3
mod_auth_internal_hashed: Add support for optionally using SCRAM-SHA-256 instead of SHA-1
Kim Alvefur <zash@zash.se>
parents:
8192
diff
changeset
|
26 local hash_name = module:get_option_string("password_hash", "SHA-1"); |
|
e458578ddfd3
mod_auth_internal_hashed: Add support for optionally using SCRAM-SHA-256 instead of SHA-1
Kim Alvefur <zash@zash.se>
parents:
8192
diff
changeset
|
27 local get_auth_db = assert(scram_hashers[hash_name], "SCRAM-"..hash_name.." not supported by SASL library"); |
|
10219
d58925bb74ca
mod_auth_internal_hashed: Precompute SCRAM authentication profile name (thanks MattJ)
Kim Alvefur <zash@zash.se>
parents:
10218
diff
changeset
|
28 local scram_name = "scram_"..hash_name:gsub("%-","_"):lower(); |
|
3288
1a84d7d6f667
mod_auth_internal_hashed: Remove far too many instances of inline hex conversion using gsub, which was creating useless closures and what-not
Matthew Wild <mwild1@gmail.com>
parents:
3287
diff
changeset
|
29 |
|
3164
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
30 -- Default; can be set per-user |
|
12128
593e823566e1
mod_auth_internal_hashed: Up iteration count to 10000 per XEP-0438
Kim Alvefur <zash@zash.se>
parents:
12127
diff
changeset
|
31 local default_iteration_count = module:get_option_number("default_iteration_count", 10000); |
|
3164
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
32 |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
33 -- define auth provider |
|
5117
2c7e1ce8f482
mod_auth_*: Use module:provides().
Waqas Hussain <waqas20@gmail.com>
parents:
5116
diff
changeset
|
34 local provider = {}; |
|
3164
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
35 |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
36 function provider.test_password(username, password) |
|
5784
02217725454b
mod_auth_internal_hashed: Log calls to provider methods and be consistent with mod_auth_internal_plain
Kim Alvefur <zash@zash.se>
parents:
5783
diff
changeset
|
37 log("debug", "test password for user '%s'", username); |
|
5500
eeea0eb2602a
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store()
Kim Alvefur <zash@zash.se>
parents:
5302
diff
changeset
|
38 local credentials = accounts:get(username) or {}; |
|
10914
0d7d71dee0a0
mod_auth_internal_*: Apply saslprep to passwords
Kim Alvefur <zash@zash.se>
parents:
10522
diff
changeset
|
39 password = saslprep(password); |
|
0d7d71dee0a0
mod_auth_internal_*: Apply saslprep to passwords
Kim Alvefur <zash@zash.se>
parents:
10522
diff
changeset
|
40 if not password then |
|
0d7d71dee0a0
mod_auth_internal_*: Apply saslprep to passwords
Kim Alvefur <zash@zash.se>
parents:
10522
diff
changeset
|
41 return nil, "Password fails SASLprep."; |
|
0d7d71dee0a0
mod_auth_internal_*: Apply saslprep to passwords
Kim Alvefur <zash@zash.se>
parents:
10522
diff
changeset
|
42 end |
|
3166
3c46cb94caed
Add mechanism for upgrading to hashed passwords from default. Remove some extra debug.
Jeff Mitchell <jeff@jefferai.org>
parents:
3164
diff
changeset
|
43 |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
44 if credentials.password ~= nil and string.len(credentials.password) ~= 0 then |
|
11544
c98aebe601f9
mod_auth_internal_{plain,hashed}: Use constant-time string comparison for secrets
Matthew Wild <mwild1@gmail.com>
parents:
10914
diff
changeset
|
45 if not secure_equals(saslprep(credentials.password), password) then |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
46 return nil, "Auth failed. Provided password is incorrect."; |
|
3164
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
47 end |
|
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
48 |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
49 if provider.set_password(username, credentials.password) == nil then |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
50 return nil, "Auth failed. Could not set hashed password from plaintext."; |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
51 else |
|
3164
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
52 return true; |
|
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
53 end |
|
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
54 end |
|
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
55 |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
56 if credentials.iteration_count == nil or credentials.salt == nil or string.len(credentials.salt) == 0 then |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
57 return nil, "Auth failed. Stored salt and iteration count information is not complete."; |
|
3164
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
58 end |
|
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5500
diff
changeset
|
59 |
|
10218
e458578ddfd3
mod_auth_internal_hashed: Add support for optionally using SCRAM-SHA-256 instead of SHA-1
Kim Alvefur <zash@zash.se>
parents:
8192
diff
changeset
|
60 local valid, stored_key, server_key = get_auth_db(password, credentials.salt, credentials.iteration_count); |
|
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5500
diff
changeset
|
61 |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
62 local stored_key_hex = to_hex(stored_key); |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
63 local server_key_hex = to_hex(server_key); |
|
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5500
diff
changeset
|
64 |
|
11544
c98aebe601f9
mod_auth_internal_{plain,hashed}: Use constant-time string comparison for secrets
Matthew Wild <mwild1@gmail.com>
parents:
10914
diff
changeset
|
65 if valid and secure_equals(stored_key_hex, credentials.stored_key) and secure_equals(server_key_hex, credentials.server_key) then |
|
3164
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
66 return true; |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
67 else |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
68 return nil, "Auth failed. Invalid username, password, or password hash information."; |
|
3164
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
69 end |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
70 end |
|
3164
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
71 |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
72 function provider.set_password(username, password) |
|
5784
02217725454b
mod_auth_internal_hashed: Log calls to provider methods and be consistent with mod_auth_internal_plain
Kim Alvefur <zash@zash.se>
parents:
5783
diff
changeset
|
73 log("debug", "set_password for username '%s'", username); |
|
5500
eeea0eb2602a
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store()
Kim Alvefur <zash@zash.se>
parents:
5302
diff
changeset
|
74 local account = accounts:get(username); |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
75 if account then |
|
6019
e9147a16059d
mod_auth_interal_hashed: Update salt and iteration count when setting a new password
Florian Zeitz <florob@babelmonkeys.de>
parents:
5784
diff
changeset
|
76 account.salt = generate_uuid(); |
|
e9147a16059d
mod_auth_interal_hashed: Update salt and iteration count when setting a new password
Florian Zeitz <florob@babelmonkeys.de>
parents:
5784
diff
changeset
|
77 account.iteration_count = max(account.iteration_count or 0, default_iteration_count); |
|
10218
e458578ddfd3
mod_auth_internal_hashed: Add support for optionally using SCRAM-SHA-256 instead of SHA-1
Kim Alvefur <zash@zash.se>
parents:
8192
diff
changeset
|
78 local valid, stored_key, server_key = get_auth_db(password, account.salt, account.iteration_count); |
|
10522
b1ca849b8e3a
mod_auth_internal_hashed: Pass on errors from password hash function (fixes #1477)
Kim Alvefur <zash@zash.se>
parents:
8192
diff
changeset
|
79 if not valid then |
|
b1ca849b8e3a
mod_auth_internal_hashed: Pass on errors from password hash function (fixes #1477)
Kim Alvefur <zash@zash.se>
parents:
8192
diff
changeset
|
80 return valid, stored_key; |
|
b1ca849b8e3a
mod_auth_internal_hashed: Pass on errors from password hash function (fixes #1477)
Kim Alvefur <zash@zash.se>
parents:
8192
diff
changeset
|
81 end |
|
3288
1a84d7d6f667
mod_auth_internal_hashed: Remove far too many instances of inline hex conversion using gsub, which was creating useless closures and what-not
Matthew Wild <mwild1@gmail.com>
parents:
3287
diff
changeset
|
82 local stored_key_hex = to_hex(stored_key); |
|
1a84d7d6f667
mod_auth_internal_hashed: Remove far too many instances of inline hex conversion using gsub, which was creating useless closures and what-not
Matthew Wild <mwild1@gmail.com>
parents:
3287
diff
changeset
|
83 local server_key_hex = to_hex(server_key); |
|
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5500
diff
changeset
|
84 |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
85 account.stored_key = stored_key_hex |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
86 account.server_key = server_key_hex |
|
3164
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
87 |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
88 account.password = nil; |
|
12646
3f38f4735c7a
usermanager, mod_auth_*: Add get_account_info() returning creation/update time
Matthew Wild <mwild1@gmail.com>
parents:
12355
diff
changeset
|
89 account.updated = os.time(); |
|
5500
eeea0eb2602a
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store()
Kim Alvefur <zash@zash.se>
parents:
5302
diff
changeset
|
90 return accounts:set(username, account); |
|
3994
42899d5efe3b
mod_auth_internal_*: Support for delete_user method
Matthew Wild <mwild1@gmail.com>
parents:
3981
diff
changeset
|
91 end |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
92 return nil, "Account not available."; |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
93 end |
|
3994
42899d5efe3b
mod_auth_internal_*: Support for delete_user method
Matthew Wild <mwild1@gmail.com>
parents:
3981
diff
changeset
|
94 |
|
12646
3f38f4735c7a
usermanager, mod_auth_*: Add get_account_info() returning creation/update time
Matthew Wild <mwild1@gmail.com>
parents:
12355
diff
changeset
|
95 function provider.get_account_info(username) |
|
3f38f4735c7a
usermanager, mod_auth_*: Add get_account_info() returning creation/update time
Matthew Wild <mwild1@gmail.com>
parents:
12355
diff
changeset
|
96 local account = accounts:get(username); |
|
3f38f4735c7a
usermanager, mod_auth_*: Add get_account_info() returning creation/update time
Matthew Wild <mwild1@gmail.com>
parents:
12355
diff
changeset
|
97 if not account then return nil, "Account not available"; end |
|
3f38f4735c7a
usermanager, mod_auth_*: Add get_account_info() returning creation/update time
Matthew Wild <mwild1@gmail.com>
parents:
12355
diff
changeset
|
98 return { |
|
3f38f4735c7a
usermanager, mod_auth_*: Add get_account_info() returning creation/update time
Matthew Wild <mwild1@gmail.com>
parents:
12355
diff
changeset
|
99 created = account.created; |
|
3f38f4735c7a
usermanager, mod_auth_*: Add get_account_info() returning creation/update time
Matthew Wild <mwild1@gmail.com>
parents:
12355
diff
changeset
|
100 password_updated = account.updated; |
|
3f38f4735c7a
usermanager, mod_auth_*: Add get_account_info() returning creation/update time
Matthew Wild <mwild1@gmail.com>
parents:
12355
diff
changeset
|
101 }; |
|
3f38f4735c7a
usermanager, mod_auth_*: Add get_account_info() returning creation/update time
Matthew Wild <mwild1@gmail.com>
parents:
12355
diff
changeset
|
102 end |
|
3f38f4735c7a
usermanager, mod_auth_*: Add get_account_info() returning creation/update time
Matthew Wild <mwild1@gmail.com>
parents:
12355
diff
changeset
|
103 |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
104 function provider.user_exists(username) |
|
5500
eeea0eb2602a
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store()
Kim Alvefur <zash@zash.se>
parents:
5302
diff
changeset
|
105 local account = accounts:get(username); |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
106 if not account then |
|
5784
02217725454b
mod_auth_internal_hashed: Log calls to provider methods and be consistent with mod_auth_internal_plain
Kim Alvefur <zash@zash.se>
parents:
5783
diff
changeset
|
107 log("debug", "account not found for username '%s'", username); |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
108 return nil, "Auth failed. Invalid username"; |
|
3164
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
109 end |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
110 return true; |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
111 end |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
112 |
|
5156
6b08c922a2e4
mod_auth_internal_{plain,hashed}: Add support for iterating over accounts
Kim Alvefur <zash@zash.se>
parents:
5117
diff
changeset
|
113 function provider.users() |
|
5500
eeea0eb2602a
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store()
Kim Alvefur <zash@zash.se>
parents:
5302
diff
changeset
|
114 return accounts:users(); |
|
5156
6b08c922a2e4
mod_auth_internal_{plain,hashed}: Add support for iterating over accounts
Kim Alvefur <zash@zash.se>
parents:
5117
diff
changeset
|
115 end |
|
6b08c922a2e4
mod_auth_internal_{plain,hashed}: Add support for iterating over accounts
Kim Alvefur <zash@zash.se>
parents:
5117
diff
changeset
|
116 |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
117 function provider.create_user(username, password) |
|
12669
aed38948791f
mod_auth_internal_hashed: Allow creating disabled account without password
Kim Alvefur <zash@zash.se>
parents:
12646
diff
changeset
|
118 local now = os.time(); |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
119 if password == nil then |
|
12669
aed38948791f
mod_auth_internal_hashed: Allow creating disabled account without password
Kim Alvefur <zash@zash.se>
parents:
12646
diff
changeset
|
120 return accounts:set(username, { created = now; updated = now; disabled = true }); |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
121 end |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
122 local salt = generate_uuid(); |
|
10218
e458578ddfd3
mod_auth_internal_hashed: Add support for optionally using SCRAM-SHA-256 instead of SHA-1
Kim Alvefur <zash@zash.se>
parents:
8192
diff
changeset
|
123 local valid, stored_key, server_key = get_auth_db(password, salt, default_iteration_count); |
|
10522
b1ca849b8e3a
mod_auth_internal_hashed: Pass on errors from password hash function (fixes #1477)
Kim Alvefur <zash@zash.se>
parents:
8192
diff
changeset
|
124 if not valid then |
|
b1ca849b8e3a
mod_auth_internal_hashed: Pass on errors from password hash function (fixes #1477)
Kim Alvefur <zash@zash.se>
parents:
8192
diff
changeset
|
125 return valid, stored_key; |
|
b1ca849b8e3a
mod_auth_internal_hashed: Pass on errors from password hash function (fixes #1477)
Kim Alvefur <zash@zash.se>
parents:
8192
diff
changeset
|
126 end |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
127 local stored_key_hex = to_hex(stored_key); |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
128 local server_key_hex = to_hex(server_key); |
|
8056
cacf14c218ab
mod_auth_internal_hashed: Split long lines [luacheck]
Kim Alvefur <zash@zash.se>
parents:
8055
diff
changeset
|
129 return accounts:set(username, { |
|
cacf14c218ab
mod_auth_internal_hashed: Split long lines [luacheck]
Kim Alvefur <zash@zash.se>
parents:
8055
diff
changeset
|
130 stored_key = stored_key_hex, server_key = server_key_hex, |
|
12646
3f38f4735c7a
usermanager, mod_auth_*: Add get_account_info() returning creation/update time
Matthew Wild <mwild1@gmail.com>
parents:
12355
diff
changeset
|
131 salt = salt, iteration_count = default_iteration_count, |
|
3f38f4735c7a
usermanager, mod_auth_*: Add get_account_info() returning creation/update time
Matthew Wild <mwild1@gmail.com>
parents:
12355
diff
changeset
|
132 created = now, updated = now; |
|
8056
cacf14c218ab
mod_auth_internal_hashed: Split long lines [luacheck]
Kim Alvefur <zash@zash.se>
parents:
8055
diff
changeset
|
133 }); |
|
3164
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
134 end |
|
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
135 |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
136 function provider.delete_user(username) |
|
5500
eeea0eb2602a
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store()
Kim Alvefur <zash@zash.se>
parents:
5302
diff
changeset
|
137 return accounts:set(username, nil); |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
138 end |
|
3164
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
139 |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
140 function provider.get_sasl_handler() |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
141 local testpass_authentication_profile = { |
|
8055
b08d9295f036
mod_auth_internal_hashed: Rename unused 'self' to _ [luacheck]
Kim Alvefur <zash@zash.se>
parents:
6707
diff
changeset
|
142 plain_test = function(_, username, password, realm) |
|
5302
52fe5df91c65
mod_auth_internal_plain, mod_auth_internal_hashed: No need to nodeprep here.
Waqas Hussain <waqas20@gmail.com>
parents:
5156
diff
changeset
|
143 return usermanager.test_password(username, realm, password), true; |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
144 end, |
|
10219
d58925bb74ca
mod_auth_internal_hashed: Precompute SCRAM authentication profile name (thanks MattJ)
Kim Alvefur <zash@zash.se>
parents:
10218
diff
changeset
|
145 [scram_name] = function(_, username) |
|
5500
eeea0eb2602a
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store()
Kim Alvefur <zash@zash.se>
parents:
5302
diff
changeset
|
146 local credentials = accounts:get(username); |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
147 if not credentials then return; end |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
148 if credentials.password then |
|
8192
4354f556c5db
core.usermanager, various modules: Disconnect other resources on password change (thanks waqas) (fixes #512)
Kim Alvefur <zash@zash.se>
parents:
8056
diff
changeset
|
149 if provider.set_password(username, credentials.password) == nil then |
|
4354f556c5db
core.usermanager, various modules: Disconnect other resources on password change (thanks waqas) (fixes #512)
Kim Alvefur <zash@zash.se>
parents:
8056
diff
changeset
|
150 return nil, "Auth failed. Could not set hashed password from plaintext."; |
|
4354f556c5db
core.usermanager, various modules: Disconnect other resources on password change (thanks waqas) (fixes #512)
Kim Alvefur <zash@zash.se>
parents:
8056
diff
changeset
|
151 end |
|
5500
eeea0eb2602a
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store()
Kim Alvefur <zash@zash.se>
parents:
5302
diff
changeset
|
152 credentials = accounts:get(username); |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
153 if not credentials then return; end |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
154 end |
|
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5500
diff
changeset
|
155 |
|
8056
cacf14c218ab
mod_auth_internal_hashed: Split long lines [luacheck]
Kim Alvefur <zash@zash.se>
parents:
8055
diff
changeset
|
156 local stored_key, server_key = credentials.stored_key, credentials.server_key; |
|
cacf14c218ab
mod_auth_internal_hashed: Split long lines [luacheck]
Kim Alvefur <zash@zash.se>
parents:
8055
diff
changeset
|
157 local iteration_count, salt = credentials.iteration_count, credentials.salt; |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
158 stored_key = stored_key and from_hex(stored_key); |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
159 server_key = server_key and from_hex(server_key); |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
160 return stored_key, server_key, iteration_count, salt, true; |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
161 end |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
162 }; |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
163 return new_sasl(host, testpass_authentication_profile); |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
164 end |
|
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5500
diff
changeset
|
165 |
|
5117
2c7e1ce8f482
mod_auth_*: Use module:provides().
Waqas Hussain <waqas20@gmail.com>
parents:
5116
diff
changeset
|
166 module:provides("auth", provider); |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
167 |
