prosody
8087f5357f53
plugins/mod_saslauth.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Annotate

plugins/mod_saslauth.lua @ 12525:8087f5357f53 0.12

mod_smacks: Fix bounce of stanzas directed to full JID on unclean disconnect Fixes #1758 Introduced in 1ea01660c79a In e62025f949f9 to and from was inverted since it changed from acting on a reply to acting on the original stanza (or a clone thereof) Unsure of the purpose of this check, you don't usually send stanzas to your own full JID. Perhaps guarding against routing loops? The check was present in the original commit of mod_smacks, prosody-modules rev 9a7671720dec
author Kim Alvefur <zash@zash.se>
date Fri, 27 May 2022 12:05:47 +0200
parent 12333:ed8a4f8dfd27
child 12480:7e9ebdc75ce4
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1523
841d61be198f Remove version number from copyright headers
Matthew Wild <mwild1@gmail.com>
parents: 1486
diff changeset
1 -- Prosody IM
2923
b7049746bd29 Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents: 2877
diff changeset
2 -- Copyright (C) 2008-2010 Matthew Wild
b7049746bd29 Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents: 2877
diff changeset
3 -- Copyright (C) 2008-2010 Waqas Hussain
5776
bd0ff8ae98a8 Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 5535
diff changeset
4 --
758
b1885732e979 GPL->MIT!
Matthew Wild <mwild1@gmail.com>
parents: 724
diff changeset
5 -- This project is MIT/X11 licensed. Please see the
b1885732e979 GPL->MIT!
Matthew Wild <mwild1@gmail.com>
parents: 724
diff changeset
6 -- COPYING file in the source package for more information.
519
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 449
diff changeset
7 --
7899
2b3d0ab67f7d mod_saslauth: Ignore shadowing of logger [luacheck]
Kim Alvefur <zash@zash.se>
parents: 7897
diff changeset
8 -- luacheck: ignore 431/log
519
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 449
diff changeset
9
38
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
10
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
11 local st = require "util.stanza";
46
d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents: 38
diff changeset
12 local sm_bind_resource = require "core.sessionmanager".bind_resource;
1042
a3d77353c18a mod_*: Fix a load of global accesses
Matthew Wild <mwild1@gmail.com>
parents: 938
diff changeset
13 local sm_make_authenticated = require "core.sessionmanager".make_authenticated;
447
c0dae734d3bf Stopped using the lbase64 library
Waqas Hussain <waqas20@gmail.com>
parents: 438
diff changeset
14 local base64 = require "util.encodings".base64;
10338
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
15 local set = require "util.set";
10487
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object
Kim Alvefur <zash@zash.se>
parents: 10481
diff changeset
16 local errors = require "util.error";
38
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
17
3188
c690e3c5105c mod_saslauth: Updated to use usermanager.get_sasl_handler.
Waqas Hussain <waqas20@gmail.com>
parents: 3178
diff changeset
18 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler;
38
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
19
12330
38b5b05407be various: Require encryption by default for real
Kim Alvefur <zash@zash.se>
parents: 11526
diff changeset
20 local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", true));
6488
c91193b7e72c mod_saslauth: Use type-specific config option getters
Kim Alvefur <zash@zash.se>
parents: 6487
diff changeset
21 local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false)
6493
4e51b5e81bdd mod_saslauth: Better name for config option
Kim Alvefur <zash@zash.se>
parents: 6492
diff changeset
22 local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"});
7298
7056bbaf81ee mod_saslauth: Disable DIGEST-MD5 by default (closes #515)
Kim Alvefur <zash@zash.se>
parents: 6519
diff changeset
23 local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" });
3066
5e5137057b5f mod_saslauth: Split out cyrus SASL config options into locals, and add support for cyrus_application_name (default: 'prosody')
Matthew Wild <mwild1@gmail.com>
parents: 3064
diff changeset
24
1071
216f9a9001f1 mod_saslauth: Use module logger instead of creating a new one
Matthew Wild <mwild1@gmail.com>
parents: 1042
diff changeset
25 local log = module._log;
38
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
26
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
27 local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl';
46
d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents: 38
diff changeset
28 local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind';
38
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
29
292
33175ad2f682 Started using realm in password hashing, and added support for error message replies from sasl
Waqas Hussain <waqas20@gmail.com>
parents: 291
diff changeset
30 local function build_reply(status, ret, err_msg)
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
31 local reply = st.stanza(status, {xmlns = xmlns_sasl});
6427
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents: 6425
diff changeset
32 if status == "failure" then
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
33 reply:tag(ret):up();
293
b446de4e258e base64 encode the sasl responses
Waqas Hussain <waqas20@gmail.com>
parents: 292
diff changeset
34 if err_msg then reply:tag("text"):text(err_msg); end
6427
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents: 6425
diff changeset
35 elseif status == "challenge" or status == "success" then
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents: 6425
diff changeset
36 if ret == "" then
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents: 6425
diff changeset
37 reply:text("=")
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents: 6425
diff changeset
38 elseif ret then
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents: 6425
diff changeset
39 reply:text(base64.encode(ret));
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents: 6425
diff changeset
40 end
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
41 else
1073
7c20373d4451 mod_saslauth: Remove 2 instances of raising errors and replacing with more graceful handling
Matthew Wild <mwild1@gmail.com>
parents: 1072
diff changeset
42 module:log("error", "Unknown sasl status: %s", status);
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
43 end
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
44 return reply;
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
45 end
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
46
3062
892c49869293 mod_saslauth: Add return value and error message to the Cyrus SASL handle_status callback
Matthew Wild <mwild1@gmail.com>
parents: 3061
diff changeset
47 local function handle_status(session, status, ret, err_msg)
11512
a2ba6c0ac8ec mod_saslauth: Improve code style
Kim Alvefur <zash@zash.se>
parents: 11508
diff changeset
48 if not session.sasl_handler then
11513
549c80feede6 mod_saslauth: Use a defined SASL error
Kim Alvefur <zash@zash.se>
parents: 11512
diff changeset
49 return "failure", "temporary-auth-failure", "Connection gone";
11512
a2ba6c0ac8ec mod_saslauth: Improve code style
Kim Alvefur <zash@zash.se>
parents: 11508
diff changeset
50 end
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
51 if status == "failure" then
4361
605045b77bc6 mod_saslauth: Fire authentication-success and authentication-failure events (thanks scitor)
Matthew Wild <mwild1@gmail.com>
parents: 4078
diff changeset
52 module:fire_event("authentication-failure", { session = session, condition = ret, text = err_msg });
2251
18079ede5b62 mod_saslauth: Fix typo in variable name
Matthew Wild <mwild1@gmail.com>
parents: 2242
diff changeset
53 session.sasl_handler = session.sasl_handler:clean_clone();
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
54 elseif status == "success" then
10643
417eadd0f567 mod_saslauth: Pass through any auth scope from the SASL handler to sessionmanager.make_authenticated()
Matthew Wild <mwild1@gmail.com>
parents: 10488
diff changeset
55 local ok, err = sm_make_authenticated(session, session.sasl_handler.username, session.sasl_handler.scope);
3468
d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents: 3464
diff changeset
56 if ok then
4504
55b61221ecb8 mod_saslauth: Move authentication-success event to after session has been made authenticated.
Kim Alvefur <zash@zash.se>
parents: 4492
diff changeset
57 module:fire_event("authentication-success", { session = session });
3468
d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents: 3464
diff changeset
58 session.sasl_handler = nil;
d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents: 3464
diff changeset
59 session:reset_stream();
3064
596303990c7c usermanager, mod_saslauth: Make account provisioning for Cyrus SASL optional (default: not required)
Matthew Wild <mwild1@gmail.com>
parents: 3062
diff changeset
60 else
3468
d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents: 3464
diff changeset
61 module:log("warn", "SASL succeeded but username was invalid");
4505
b1e10c327d66 mod_saslauth: Fire authentication-failure if make_authenticated() failed.
Kim Alvefur <zash@zash.se>
parents: 4504
diff changeset
62 module:fire_event("authentication-failure", { session = session, condition = "not-authorized", text = err });
3064
596303990c7c usermanager, mod_saslauth: Make account provisioning for Cyrus SASL optional (default: not required)
Matthew Wild <mwild1@gmail.com>
parents: 3062
diff changeset
63 session.sasl_handler = session.sasl_handler:clean_clone();
3468
d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents: 3464
diff changeset
64 return "failure", "not-authorized", "User authenticated successfully, but username was invalid";
3064
596303990c7c usermanager, mod_saslauth: Make account provisioning for Cyrus SASL optional (default: not required)
Matthew Wild <mwild1@gmail.com>
parents: 3062
diff changeset
65 end
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
66 end
3062
892c49869293 mod_saslauth: Add return value and error message to the Cyrus SASL handle_status callback
Matthew Wild <mwild1@gmail.com>
parents: 3061
diff changeset
67 return status, ret, err_msg;
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
68 end
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
69
3551
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
70 local function sasl_process_cdata(session, stanza)
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
71 local text = stanza[1];
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
72 if text then
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
73 text = base64.decode(text);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
74 if not text then
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
75 session.sasl_handler = nil;
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
76 session.send(build_reply("failure", "incorrect-encoding"));
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
77 return true;
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
78 end
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
79 end
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
80 local status, ret, err_msg = session.sasl_handler:process(text);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
81 status, ret, err_msg = handle_status(session, status, ret, err_msg);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
82 local s = build_reply(status, ret, err_msg);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
83 session.send(s);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
84 return true;
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
85 end
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
86
8042
5d5afaafac0f mod_saslauth: Remove unused argument [luacheck]
Kim Alvefur <zash@zash.se>
parents: 7962
diff changeset
87 module:hook_tag(xmlns_sasl, "success", function (session)
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
88 if session.type ~= "s2sout_unauthed" or session.external_auth ~= "attempting" then return; end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
89 module:log("debug", "SASL EXTERNAL with %s succeeded", session.to_host);
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
90 session.external_auth = "succeeded"
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
91 session:reset_stream();
5535
0df0afc041d7 mod_saslauth, mod_compression: Fix some cases where open_stream() was not being passed to/from (see df3c78221f26 and issue #338)
Matthew Wild <mwild1@gmail.com>
parents: 5362
diff changeset
92 session:open_stream(session.from_host, session.to_host);
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
93
11526
15a3db955ad3 s2s et al.: Add counters for connection state transitions
Jonas Schäfer <jonas@wielicki.name>
parents: 11514
diff changeset
94 module:fire_event("s2s-authenticated", { session = session, host = session.to_host, mechanism = "EXTERNAL" });
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
95 return true;
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
96 end)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
97
7960
9a938b785bc5 mod_saslauth: Switch to hook_tag from hook_stanza which was renamed in 2087d42f1e77
Kim Alvefur <zash@zash.se>
parents: 7940
diff changeset
98 module:hook_tag(xmlns_sasl, "failure", function (session, stanza)
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
99 if session.type ~= "s2sout_unauthed" or session.external_auth ~= "attempting" then return; end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
100
7939
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
101 local text = stanza:get_child_text("text");
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
102 local condition = "unknown-condition";
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
103 for child in stanza:childtags() do
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
104 if child.name ~= "text" then
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
105 condition = child.name;
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
106 break;
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
107 end
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
108 end
10487
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object
Kim Alvefur <zash@zash.se>
parents: 10481
diff changeset
109 local err = errors.new({
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object
Kim Alvefur <zash@zash.se>
parents: 10481
diff changeset
110 -- TODO type = what?
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object
Kim Alvefur <zash@zash.se>
parents: 10481
diff changeset
111 text = text,
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object
Kim Alvefur <zash@zash.se>
parents: 10481
diff changeset
112 condition = condition,
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object
Kim Alvefur <zash@zash.se>
parents: 10481
diff changeset
113 }, {
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object
Kim Alvefur <zash@zash.se>
parents: 10481
diff changeset
114 session = session,
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object
Kim Alvefur <zash@zash.se>
parents: 10481
diff changeset
115 stanza = stanza,
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object
Kim Alvefur <zash@zash.se>
parents: 10481
diff changeset
116 });
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object
Kim Alvefur <zash@zash.se>
parents: 10481
diff changeset
117
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object
Kim Alvefur <zash@zash.se>
parents: 10481
diff changeset
118 module:log("info", "SASL EXTERNAL with %s failed: %s", session.to_host, err);
7939
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
119
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
120 session.external_auth = "failed"
10487
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object
Kim Alvefur <zash@zash.se>
parents: 10481
diff changeset
121 session.external_auth_failure_reason = err;
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
122 end, 500)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
123
8513
c6be9bbd0a1a mod_saslauth: Ignore unused argument [luacheck]
Kim Alvefur <zash@zash.se>
parents: 8512
diff changeset
124 module:hook_tag(xmlns_sasl, "failure", function (session, stanza) -- luacheck: ignore 212/stanza
8510
149e98f88680 mod_saslauth: Close connection if no fallback kicks in on SASL EXTERNAL failure
Kim Alvefur <zash@zash.se>
parents: 8509
diff changeset
125 session.log("debug", "No fallback from SASL EXTERNAL failure, giving up");
10488
03ff1e614b4d mod_saslauth: Set a nicer bounce error explaining SASL EXTERNAL failures
Kim Alvefur <zash@zash.se>
parents: 10487
diff changeset
126 session:close(nil, session.external_auth_failure_reason, errors.new({
03ff1e614b4d mod_saslauth: Set a nicer bounce error explaining SASL EXTERNAL failures
Kim Alvefur <zash@zash.se>
parents: 10487
diff changeset
127 type = "wait", condition = "remote-server-timeout",
03ff1e614b4d mod_saslauth: Set a nicer bounce error explaining SASL EXTERNAL failures
Kim Alvefur <zash@zash.se>
parents: 10487
diff changeset
128 text = "Could not authenticate to remote server",
03ff1e614b4d mod_saslauth: Set a nicer bounce error explaining SASL EXTERNAL failures
Kim Alvefur <zash@zash.se>
parents: 10487
diff changeset
129 }, { session = session, sasl_failure = session.external_auth_failure_reason, }));
8510
149e98f88680 mod_saslauth: Close connection if no fallback kicks in on SASL EXTERNAL failure
Kim Alvefur <zash@zash.se>
parents: 8509
diff changeset
130 return true;
8509
e1d274001855 Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly been resolved and this change causes more problems than it solves (fixes #1006)
Kim Alvefur <zash@zash.se>
parents: 8479
diff changeset
131 end, 90)
e1d274001855 Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly been resolved and this change causes more problems than it solves (fixes #1006)
Kim Alvefur <zash@zash.se>
parents: 8479
diff changeset
132
7960
9a938b785bc5 mod_saslauth: Switch to hook_tag from hook_stanza which was renamed in 2087d42f1e77
Kim Alvefur <zash@zash.se>
parents: 7940
diff changeset
133 module:hook_tag("http://etherx.jabber.org/streams", "features", function (session, stanza)
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
134 if session.type ~= "s2sout_unauthed" or not session.secure then return; end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
135
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
136 local mechanisms = stanza:get_child("mechanisms", xmlns_sasl)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
137 if mechanisms then
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
138 for mech in mechanisms:childtags() do
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
139 if mech[1] == "EXTERNAL" then
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
140 module:log("debug", "Initiating SASL EXTERNAL with %s", session.to_host);
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
141 local reply = st.stanza("auth", {xmlns = xmlns_sasl, mechanism = "EXTERNAL"});
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
142 reply:text(base64.encode(session.from_host))
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
143 session.sends2s(reply)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
144 session.external_auth = "attempting"
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
145 return true
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
146 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
147 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
148 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
149 end, 150);
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
150
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
151 local function s2s_external_auth(session, stanza)
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
152 if session.external_auth ~= "offered" then return end -- Unexpected request
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
153
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
154 local mechanism = stanza.attr.mechanism;
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
155
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
156 if mechanism ~= "EXTERNAL" then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
157 session.sends2s(build_reply("failure", "invalid-mechanism"));
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
158 return true;
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
159 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
160
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
161 if not session.secure then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
162 session.sends2s(build_reply("failure", "encryption-required"));
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
163 return true;
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
164 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
165
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
166 local text = stanza[1];
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
167 if not text then
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
168 session.sends2s(build_reply("failure", "malformed-request"));
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
169 return true;
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
170 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
171
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
172 text = base64.decode(text);
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
173 if not text then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
174 session.sends2s(build_reply("failure", "incorrect-encoding"));
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
175 return true;
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
176 end
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
177
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
178 -- The text value is either "" or equals session.from_host
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
179 if not ( text == "" or text == session.from_host ) then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
180 session.sends2s(build_reply("failure", "invalid-authzid"));
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
181 return true;
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
182 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
183
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
184 -- We've already verified the external cert identity before offering EXTERNAL
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
185 if session.cert_chain_status ~= "valid" or session.cert_identity_status ~= "valid" then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
186 session.sends2s(build_reply("failure", "not-authorized"));
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
187 session:close();
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
188 return true;
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
189 end
4492
0a4781f165e3 mod_saslauth: "" ~= nil (thanks, Zash!)
Paul Aurich <paul@darkrain42.org>
parents: 4395
diff changeset
190
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
191 -- Success!
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
192 session.external_auth = "succeeded";
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
193 session.sends2s(build_reply("success"));
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
194 module:log("info", "Accepting SASL EXTERNAL identity from %s", session.from_host);
11526
15a3db955ad3 s2s et al.: Add counters for connection state transitions
Jonas Schäfer <jonas@wielicki.name>
parents: 11514
diff changeset
195 module:fire_event("s2s-authenticated", { session = session, host = session.from_host, mechanism = mechanism });
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
196 session:reset_stream();
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
197 return true;
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
198 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
199
3552
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
200 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function(event)
3535
b953b0c0f203 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3524
diff changeset
201 local session, stanza = event.origin, event.stanza;
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
202 if session.type == "s2sin_unauthed" then
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
203 return s2s_external_auth(session, stanza)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
204 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
205
6033
0d6f23049e95 mod_saslauth: Only do c2s SASL on normal VirtualHosts
Kim Alvefur <zash@zash.se>
parents: 5535
diff changeset
206 if session.type ~= "c2s_unauthed" or module:get_host_type() ~= "local" then return; end
3535
b953b0c0f203 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3524
diff changeset
207
3553
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents: 3552
diff changeset
208 if session.sasl_handler and session.sasl_handler.selected then
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents: 3552
diff changeset
209 session.sasl_handler = nil; -- allow starting a new SASL negotiation before completing an old one
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents: 3552
diff changeset
210 end
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents: 3552
diff changeset
211 if not session.sasl_handler then
4939
0545a574667b mod_saslauth: Pass session to usermanager.get_sasl_handler()
Matthew Wild <mwild1@gmail.com>
parents: 4754
diff changeset
212 session.sasl_handler = usermanager_get_sasl_handler(module.host, session);
3553
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents: 3552
diff changeset
213 end
3552
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
214 local mechanism = stanza.attr.mechanism;
6490
8ad74f48b2aa mod_saslauth: Use a configurable set of mechanisms to not allow over unencrypted connections
Kim Alvefur <zash@zash.se>
parents: 6489
diff changeset
215 if not session.secure and (secure_auth_only or insecure_mechanisms:contains(mechanism)) then
3552
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
216 session.send(build_reply("failure", "encryption-required"));
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
217 return true;
6492
0d07fdc07d8c mod_saslauth: Make it possible to disable certain mechanisms
Kim Alvefur <zash@zash.se>
parents: 6491
diff changeset
218 elseif disabled_mechanisms:contains(mechanism) then
0d07fdc07d8c mod_saslauth: Make it possible to disable certain mechanisms
Kim Alvefur <zash@zash.se>
parents: 6491
diff changeset
219 session.send(build_reply("failure", "invalid-mechanism"));
0d07fdc07d8c mod_saslauth: Make it possible to disable certain mechanisms
Kim Alvefur <zash@zash.se>
parents: 6491
diff changeset
220 return true;
3552
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
221 end
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
222 local valid_mechanism = session.sasl_handler:select(mechanism);
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
223 if not valid_mechanism then
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
224 session.send(build_reply("failure", "invalid-mechanism"));
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
225 return true;
295
bb078eb1f1de mod_saslauth: Code cleanup
Waqas Hussain <waqas20@gmail.com>
parents: 293
diff changeset
226 end
3551
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
227 return sasl_process_cdata(session, stanza);
3552
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
228 end);
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
229 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:response", function(event)
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
230 local session = event.origin;
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
231 if not(session.sasl_handler and session.sasl_handler.selected) then
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
232 session.send(build_reply("failure", "not-authorized", "Out of order SASL element"));
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
233 return true;
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
234 end
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
235 return sasl_process_cdata(session, event.stanza);
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
236 end);
3548
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents: 3535
diff changeset
237 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:abort", function(event)
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents: 3535
diff changeset
238 local session = event.origin;
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents: 3535
diff changeset
239 session.sasl_handler = nil;
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents: 3535
diff changeset
240 session.send(build_reply("failure", "aborted"));
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents: 3535
diff changeset
241 return true;
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents: 3535
diff changeset
242 end);
284
4f540755260c mod_saslauth: Added base64 decoding, encoding check, and cleaned the code up.
Waqas Hussain <waqas20@gmail.com>
parents: 281
diff changeset
243
6518
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents: 6517
diff changeset
244 local function tls_unique(self)
6519
367db22cf7d2 mod_saslauth: Make it easier to support multiple channel binding methonds
Kim Alvefur <zash@zash.se>
parents: 6518
diff changeset
245 return self.userdata["tls-unique"]:getpeerfinished();
6518
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents: 6517
diff changeset
246 end
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents: 6517
diff changeset
247
357
17bcecb06420 Use a stanza for c2s stream features instead of an array of strings. Removes a FIXME.
Matthew Wild <mwild1@gmail.com>
parents: 313
diff changeset
248 local mechanisms_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-sasl' };
17bcecb06420 Use a stanza for c2s stream features instead of an array of strings. Removes a FIXME.
Matthew Wild <mwild1@gmail.com>
parents: 313
diff changeset
249 local bind_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-bind' };
17bcecb06420 Use a stanza for c2s stream features instead of an array of strings. Removes a FIXME.
Matthew Wild <mwild1@gmail.com>
parents: 313
diff changeset
250 local xmpp_session_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-session' };
2612
475552b04151 mod_saslauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 2451
diff changeset
251 module:hook("stream-features", function(event)
475552b04151 mod_saslauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 2451
diff changeset
252 local origin, features = event.origin, event.features;
7896
1a2674123c1c mod_saslauth: Cache logger in local for less typing
Kim Alvefur <zash@zash.se>
parents: 7784
diff changeset
253 local log = origin.log or log;
2612
475552b04151 mod_saslauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 2451
diff changeset
254 if not origin.username then
475552b04151 mod_saslauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 2451
diff changeset
255 if secure_auth_only and not origin.secure then
7897
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents: 7896
diff changeset
256 log("debug", "Not offering authentication on insecure connection");
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
257 return;
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
258 end
6517
e733e98a348a mod_saslauth: Keep sasl_handler in a local variable
Kim Alvefur <zash@zash.se>
parents: 6493
diff changeset
259 local sasl_handler = usermanager_get_sasl_handler(module.host, origin)
e733e98a348a mod_saslauth: Keep sasl_handler in a local variable
Kim Alvefur <zash@zash.se>
parents: 6493
diff changeset
260 origin.sasl_handler = sasl_handler;
5860
87e2fafba5df mod_saslauth: Collect data for channel binding only if we know for sure that the stream is encrypted
Kim Alvefur <zash@zash.se>
parents: 5843
diff changeset
261 if origin.encrypted then
9993
02a41315d275 Fix various spelling mistakes [codespell]
Kim Alvefur <zash@zash.se>
parents: 9738
diff changeset
262 -- check whether LuaSec has the nifty binding to the function needed for tls-unique
5838
a2659baf8332 mod_saslauth: Check whether LuaSec supports getpeerfinished() binding.
Tobias Markmann <tm@ayena.de>
parents: 5834
diff changeset
263 -- FIXME: would be nice to have this check only once and not for every socket
6518
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents: 6517
diff changeset
264 if sasl_handler.add_cb_handler then
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents: 6517
diff changeset
265 local socket = origin.conn:socket();
11212
1bfd238e05ad mod_saslauth: Disable 'tls-unique' channel binding with TLS 1.3 (closes #1542)
Kim Alvefur <zash@zash.se>
parents: 8513
diff changeset
266 local info = socket.info and socket:info();
1bfd238e05ad mod_saslauth: Disable 'tls-unique' channel binding with TLS 1.3 (closes #1542)
Kim Alvefur <zash@zash.se>
parents: 8513
diff changeset
267 if info.protocol == "TLSv1.3" then
1bfd238e05ad mod_saslauth: Disable 'tls-unique' channel binding with TLS 1.3 (closes #1542)
Kim Alvefur <zash@zash.se>
parents: 8513
diff changeset
268 log("debug", "Channel binding 'tls-unique' undefined in context of TLS 1.3");
11213
992c4498a1e3 mod_saslauth: Only advertise channel binding if a finished message is available
Kim Alvefur <zash@zash.se>
parents: 11212
diff changeset
269 elseif socket.getpeerfinished and socket:getpeerfinished() then
10337
39111f0e83d0 mod_saslauth: Log (debug) messages about channel binding
Kim Alvefur <zash@zash.se>
parents: 10334
diff changeset
270 log("debug", "Channel binding 'tls-unique' supported");
6518
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents: 6517
diff changeset
271 sasl_handler:add_cb_handler("tls-unique", tls_unique);
10337
39111f0e83d0 mod_saslauth: Log (debug) messages about channel binding
Kim Alvefur <zash@zash.se>
parents: 10334
diff changeset
272 else
39111f0e83d0 mod_saslauth: Log (debug) messages about channel binding
Kim Alvefur <zash@zash.se>
parents: 10334
diff changeset
273 log("debug", "Channel binding 'tls-unique' not supported (by LuaSec?)");
6518
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents: 6517
diff changeset
274 end
6519
367db22cf7d2 mod_saslauth: Make it easier to support multiple channel binding methonds
Kim Alvefur <zash@zash.se>
parents: 6518
diff changeset
275 sasl_handler["userdata"] = {
367db22cf7d2 mod_saslauth: Make it easier to support multiple channel binding methonds
Kim Alvefur <zash@zash.se>
parents: 6518
diff changeset
276 ["tls-unique"] = socket;
367db22cf7d2 mod_saslauth: Make it easier to support multiple channel binding methonds
Kim Alvefur <zash@zash.se>
parents: 6518
diff changeset
277 };
10337
39111f0e83d0 mod_saslauth: Log (debug) messages about channel binding
Kim Alvefur <zash@zash.se>
parents: 10334
diff changeset
278 else
39111f0e83d0 mod_saslauth: Log (debug) messages about channel binding
Kim Alvefur <zash@zash.se>
parents: 10334
diff changeset
279 log("debug", "Channel binding not supported by SASL handler");
5838
a2659baf8332 mod_saslauth: Check whether LuaSec supports getpeerfinished() binding.
Tobias Markmann <tm@ayena.de>
parents: 5834
diff changeset
280 end
5832
7d100d917243 mod_saslauth: Set secure socket as SASL object user data for secure sessions.
Tobias Markmann <tm@ayena.de>
parents: 3983
diff changeset
281 end
4395
d322c4553f97 mod_saslauth: Never send empty <mechanisms/>, for real this time.
Waqas Hussain <waqas20@gmail.com>
parents: 4392
diff changeset
282 local mechanisms = st.stanza("mechanisms", mechanisms_attr);
7897
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents: 7896
diff changeset
283 local sasl_mechanisms = sasl_handler:mechanisms()
10338
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
284 local available_mechanisms = set.new();
7897
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents: 7896
diff changeset
285 for mechanism in pairs(sasl_mechanisms) do
10338
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
286 available_mechanisms:add(mechanism);
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
287 end
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
288 log("debug", "SASL mechanisms supported by handler: %s", available_mechanisms);
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
289
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
290 local usable_mechanisms = available_mechanisms - disabled_mechanisms;
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
291
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
292 local available_disabled = set.intersection(available_mechanisms, disabled_mechanisms);
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
293 if not available_disabled:empty() then
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
294 log("debug", "Not offering disabled mechanisms: %s", available_disabled);
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
295 end
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
296
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
297 local available_insecure = set.intersection(available_mechanisms, insecure_mechanisms);
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
298 if not origin.secure and not available_insecure:empty() then
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
299 log("debug", "Session is not secure, not offering insecure mechanisms: %s", available_insecure);
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
300 usable_mechanisms = usable_mechanisms - insecure_mechanisms;
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
301 end
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
302
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
303 if not usable_mechanisms:empty() then
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
304 log("debug", "Offering usable mechanisms: %s", usable_mechanisms);
10481
7a3c04789d5c mod_saslauth: Advertise correct set of mechanisms
Kim Alvefur <zash@zash.se>
parents: 10340
diff changeset
305 for mechanism in usable_mechanisms do
4395
d322c4553f97 mod_saslauth: Never send empty <mechanisms/>, for real this time.
Waqas Hussain <waqas20@gmail.com>
parents: 4392
diff changeset
306 mechanisms:tag("mechanism"):text(mechanism):up();
3417
53e854b52110 mod_saslauth: Check for unencrypted PLAIN auth in mod_saslauth instead of the SASL handler (makes it work for Cyrus SASL).
Waqas Hussain <waqas20@gmail.com>
parents: 3416
diff changeset
307 end
10338
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
308 features:add_child(mechanisms);
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
309 return;
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
310 end
10339
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 10338
diff changeset
311
12333
ed8a4f8dfd27 usermanager, mod_saslauth: Default to internal_hashed if no auth module specified
Matthew Wild <mwild1@gmail.com>
parents: 12330
diff changeset
312 local authmod = module:get_option_string("authentication", "internal_hashed");
10339
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 10338
diff changeset
313 if available_mechanisms:empty() then
10340
5c6912289ce3 mod_saslauth: Demote "no SASL mechanisms" error back to warning
Kim Alvefur <zash@zash.se>
parents: 10339
diff changeset
314 log("warn", "No available SASL mechanisms, verify that the configured authentication module '%s' is loaded and configured correctly", authmod);
10339
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 10338
diff changeset
315 return;
6489
1f07c72112d2 mod_saslauth: Log warning if no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 6488
diff changeset
316 end
10339
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 10338
diff changeset
317
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 10338
diff changeset
318 if not origin.secure and not available_insecure:empty() then
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 10338
diff changeset
319 if not available_disabled:empty() then
10340
5c6912289ce3 mod_saslauth: Demote "no SASL mechanisms" error back to warning
Kim Alvefur <zash@zash.se>
parents: 10339
diff changeset
320 log("warn", "All SASL mechanisms provided by authentication module '%s' are forbidden on insecure connections (%s) or disabled (%s)",
10339
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 10338
diff changeset
321 authmod, available_insecure, available_disabled);
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 10338
diff changeset
322 else
10340
5c6912289ce3 mod_saslauth: Demote "no SASL mechanisms" error back to warning
Kim Alvefur <zash@zash.se>
parents: 10339
diff changeset
323 log("warn", "All SASL mechanisms provided by authentication module '%s' are forbidden on insecure connections (%s)",
10339
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 10338
diff changeset
324 authmod, available_insecure);
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 10338
diff changeset
325 end
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 10338
diff changeset
326 elseif not available_disabled:empty() then
10340
5c6912289ce3 mod_saslauth: Demote "no SASL mechanisms" error back to warning
Kim Alvefur <zash@zash.se>
parents: 10339
diff changeset
327 log("warn", "All SASL mechanisms provided by authentication module '%s' are disabled (%s)",
10339
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 10338
diff changeset
328 authmod, available_disabled);
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 10338
diff changeset
329 end
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 10338
diff changeset
330
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
331 else
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
332 features:tag("bind", bind_attr):tag("required"):up():up();
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
333 features:tag("session", xmpp_session_attr):tag("optional"):up():up();
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
334 end
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
335 end);
1584
ffe8a9296e04 mod_saslauth, usermanager: Fetch list of mechanisms from usermanager
Nick Thomas
parents: 1523
diff changeset
336
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
337 module:hook("s2s-stream-features", function(event)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
338 local origin, features = event.origin, event.features;
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
339 if origin.secure and origin.type == "s2sin_unauthed" then
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
340 -- Offer EXTERNAL only if both chain and identity is valid.
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
341 if origin.cert_chain_status == "valid" and origin.cert_identity_status == "valid" then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
342 module:log("debug", "Offering SASL EXTERNAL");
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
343 origin.external_auth = "offered"
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
344 features:tag("mechanisms", { xmlns = xmlns_sasl })
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
345 :tag("mechanism"):text("EXTERNAL")
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
346 :up():up();
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
347 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
348 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
349 end);
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
350
7784
9f70d35a1602 core.sessionmanager, mod_saslauth: Introduce intermediate session type for authenticated but unbound sessions so that resource binding is not treated as a normal stanza
Kim Alvefur <zash@zash.se>
parents: 7298
diff changeset
351 module:hook("stanza/iq/urn:ietf:params:xml:ns:xmpp-bind:bind", function(event)
3523
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
352 local origin, stanza = event.origin, event.stanza;
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
353 local resource;
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
354 if stanza.attr.type == "set" then
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
355 local bind = stanza.tags[1];
6302
76699a0ae4c4 mod_lastactivity, mod_legacyauth, mod_presence, mod_saslauth, mod_tls: Use the newer stanza:get_child APIs and optimize away some table lookups
Kim Alvefur <zash@zash.se>
parents: 6038
diff changeset
356 resource = bind:get_child("resource");
3523
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
357 resource = resource and #resource.tags == 0 and resource[1] or nil;
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
358 end
3523
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
359 local success, err_type, err, err_msg = sm_bind_resource(origin, resource);
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
360 if success then
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
361 origin.send(st.reply(stanza)
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
362 :tag("bind", { xmlns = xmlns_bind })
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
363 :tag("jid"):text(origin.full_jid));
3524
d206b4e0a9f3 mod_saslauth: Improved logging a bit.
Waqas Hussain <waqas20@gmail.com>
parents: 3523
diff changeset
364 origin.log("debug", "Resource bound: %s", origin.full_jid);
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
365 else
3523
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
366 origin.send(st.error_reply(stanza, err_type, err, err_msg));
3524
d206b4e0a9f3 mod_saslauth: Improved logging a bit.
Waqas Hussain <waqas20@gmail.com>
parents: 3523
diff changeset
367 origin.log("debug", "Resource bind failed: %s", err_msg or err);
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
368 end
3523
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
369 return true;
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
370 end);
1584
ffe8a9296e04 mod_saslauth, usermanager: Fetch list of mechanisms from usermanager
Nick Thomas
parents: 1523
diff changeset
371
4029
fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login
Matthew Wild <mwild1@gmail.com>
parents: 3553
diff changeset
372 local function handle_legacy_session(event)
3523
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
373 event.origin.send(st.reply(event.stanza));
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
374 return true;
4029
fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login
Matthew Wild <mwild1@gmail.com>
parents: 3553
diff changeset
375 end
fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login
Matthew Wild <mwild1@gmail.com>
parents: 3553
diff changeset
376
fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login
Matthew Wild <mwild1@gmail.com>
parents: 3553
diff changeset
377 module:hook("iq/self/urn:ietf:params:xml:ns:xmpp-session:session", handle_legacy_session);
fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login
Matthew Wild <mwild1@gmail.com>
parents: 3553
diff changeset
378 module:hook("iq/host/urn:ietf:params:xml:ns:xmpp-session:session", handle_legacy_session);