Annotate

plugins/mod_legacyauth.lua @ 10390:82705ec87253 0.11

util.startup: Ensure prosody.paths are absolute (see #1430) Normally these paths are injected into the installed 'prosody' executable as absolute paths, but it is possible to override at least the config path via environment variable or command line argument. This makes sure a path relative to pwd stays relative to that instead of the data directory.
author Kim Alvefur <zash@zash.se>
date Mon, 04 Nov 2019 00:29:49 +0100
parent 8768:bd88ca43d77a
child 10557:e1cb869e2f6c
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1523
841d61be198f Remove version number from copyright headers
Matthew Wild <mwild1@gmail.com>
parents: 1218
diff changeset
1 -- Prosody IM
2923
b7049746bd29 Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents: 1912
diff changeset
2 -- Copyright (C) 2008-2010 Matthew Wild
b7049746bd29 Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents: 1912
diff changeset
3 -- Copyright (C) 2008-2010 Waqas Hussain
5776
bd0ff8ae98a8 Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 5126
diff changeset
4 --
758
b1885732e979 GPL->MIT!
Matthew Wild <mwild1@gmail.com>
parents: 615
diff changeset
5 -- This project is MIT/X11 licensed. Please see the
b1885732e979 GPL->MIT!
Matthew Wild <mwild1@gmail.com>
parents: 615
diff changeset
6 -- COPYING file in the source package for more information.
519
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 438
diff changeset
7 --
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 438
diff changeset
8
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 438
diff changeset
9
30
bcf539295f2d Huge commit to:
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
10
bcf539295f2d Huge commit to:
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
11 local st = require "util.stanza";
bcf539295f2d Huge commit to:
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
12 local t_concat = table.concat;
bcf539295f2d Huge commit to:
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
13
6487
edc63dc72566 mod_legacyauth, mod_saslauth, mod_tls: Pass require_encryption as default option to s2s_require_encryption so the later overrides the former
Kim Alvefur <zash@zash.se>
parents: 6302
diff changeset
14 local secure_auth_only = module:get_option("c2s_require_encryption",
edc63dc72566 mod_legacyauth, mod_saslauth, mod_tls: Pass require_encryption as default option to s2s_require_encryption so the later overrides the former
Kim Alvefur <zash@zash.se>
parents: 6302
diff changeset
15 module:get_option("require_encryption"))
4258
ee445e658848 mod_legacyauth: Disallow on unencrypted connections by default, heed allow_unencrypted_plain_auth config option (thanks Maranda/Zash)
Matthew Wild <mwild1@gmail.com>
parents: 3528
diff changeset
16 or not(module:get_option("allow_unencrypted_plain_auth"));
1216
fd8ce71bc72b mod_saslauth, mod_legacyauth: Deny logins to unsecure sessions when require_encryption config option is true
Matthew Wild <mwild1@gmail.com>
parents: 1042
diff changeset
17
1042
a3d77353c18a mod_*: Fix a load of global accesses
Matthew Wild <mwild1@gmail.com>
parents: 896
diff changeset
18 local sessionmanager = require "core.sessionmanager";
a3d77353c18a mod_*: Fix a load of global accesses
Matthew Wild <mwild1@gmail.com>
parents: 896
diff changeset
19 local usermanager = require "core.usermanager";
1831
ced7a6b8bcd0 mod_legacyauth: Added node and resource prepping.
Waqas Hussain <waqas20@gmail.com>
parents: 1523
diff changeset
20 local nodeprep = require "util.encodings".stringprep.nodeprep;
ced7a6b8bcd0 mod_legacyauth: Added node and resource prepping.
Waqas Hussain <waqas20@gmail.com>
parents: 1523
diff changeset
21 local resourceprep = require "util.encodings".stringprep.resourceprep;
1042
a3d77353c18a mod_*: Fix a load of global accesses
Matthew Wild <mwild1@gmail.com>
parents: 896
diff changeset
22
541
3521e0851c9e Change modules to use the new add_feature module API method.
Waqas Hussain <waqas20@gmail.com>
parents: 519
diff changeset
23 module:add_feature("jabber:iq:auth");
2610
c9ed79940b2e mod_legacyauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 1912
diff changeset
24 module:hook("stream-features", function(event)
c9ed79940b2e mod_legacyauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 1912
diff changeset
25 local origin, features = event.origin, event.features;
c9ed79940b2e mod_legacyauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 1912
diff changeset
26 if secure_auth_only and not origin.secure then
1218
8e02c10c9e60 mod_legacyauth: Hide stream feature when secure auth is enabled, and session isn't secure
Matthew Wild <mwild1@gmail.com>
parents: 1216
diff changeset
27 -- Sorry, not offering to insecure streams!
8e02c10c9e60 mod_legacyauth: Hide stream feature when secure auth is enabled, and session isn't secure
Matthew Wild <mwild1@gmail.com>
parents: 1216
diff changeset
28 return;
2610
c9ed79940b2e mod_legacyauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 1912
diff changeset
29 elseif not origin.username then
1218
8e02c10c9e60 mod_legacyauth: Hide stream feature when secure auth is enabled, and session isn't secure
Matthew Wild <mwild1@gmail.com>
parents: 1216
diff changeset
30 features:tag("auth", {xmlns='http://jabber.org/features/iq-auth'}):up();
8e02c10c9e60 mod_legacyauth: Hide stream feature when secure auth is enabled, and session isn't secure
Matthew Wild <mwild1@gmail.com>
parents: 1216
diff changeset
31 end
891
236d1ce9fa99 mod_legacyauth: Added stream feature: <auth xmlns='http://jabber.org/features/iq-auth'/>
Waqas Hussain <waqas20@gmail.com>
parents: 760
diff changeset
32 end);
421
63be85693710 Modules now sending disco replies
Waqas Hussain <waqas20@gmail.com>
parents: 308
diff changeset
33
3527
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
34 module:hook("stanza/iq/jabber:iq:auth:query", function(event)
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
35 local session, stanza = event.origin, event.stanza;
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
36
3528
5cdcd7ee6ef5 mod_legacyauth: Limit authentication to unauthenticated client connections.
Waqas Hussain <waqas20@gmail.com>
parents: 3527
diff changeset
37 if session.type ~= "c2s_unauthed" then
8768
bd88ca43d77a mod_legacyauth: Split a long line [luacheck]
Kim Alvefur <zash@zash.se>
parents: 6487
diff changeset
38 (session.sends2s or session.send)(st.error_reply(stanza, "cancel", "service-unavailable",
bd88ca43d77a mod_legacyauth: Split a long line [luacheck]
Kim Alvefur <zash@zash.se>
parents: 6487
diff changeset
39 "Legacy authentication is only allowed for unauthenticated client connections."));
3528
5cdcd7ee6ef5 mod_legacyauth: Limit authentication to unauthenticated client connections.
Waqas Hussain <waqas20@gmail.com>
parents: 3527
diff changeset
40 return true;
5cdcd7ee6ef5 mod_legacyauth: Limit authentication to unauthenticated client connections.
Waqas Hussain <waqas20@gmail.com>
parents: 3527
diff changeset
41 end
5cdcd7ee6ef5 mod_legacyauth: Limit authentication to unauthenticated client connections.
Waqas Hussain <waqas20@gmail.com>
parents: 3527
diff changeset
42
3527
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
43 if secure_auth_only and not session.secure then
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
44 session.send(st.error_reply(stanza, "modify", "not-acceptable", "Encryption (SSL or TLS) is required to connect to this server"));
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
45 return true;
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
46 end
5776
bd0ff8ae98a8 Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 5126
diff changeset
47
6302
76699a0ae4c4 mod_lastactivity, mod_legacyauth, mod_presence, mod_saslauth, mod_tls: Use the newer stanza:get_child APIs and optimize away some table lookups
Kim Alvefur <zash@zash.se>
parents: 5776
diff changeset
48 local query = stanza.tags[1];
76699a0ae4c4 mod_lastactivity, mod_legacyauth, mod_presence, mod_saslauth, mod_tls: Use the newer stanza:get_child APIs and optimize away some table lookups
Kim Alvefur <zash@zash.se>
parents: 5776
diff changeset
49 local username = query:get_child("username");
76699a0ae4c4 mod_lastactivity, mod_legacyauth, mod_presence, mod_saslauth, mod_tls: Use the newer stanza:get_child APIs and optimize away some table lookups
Kim Alvefur <zash@zash.se>
parents: 5776
diff changeset
50 local password = query:get_child("password");
76699a0ae4c4 mod_lastactivity, mod_legacyauth, mod_presence, mod_saslauth, mod_tls: Use the newer stanza:get_child APIs and optimize away some table lookups
Kim Alvefur <zash@zash.se>
parents: 5776
diff changeset
51 local resource = query:get_child("resource");
3527
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
52 if not (username and password and resource) then
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
53 local reply = st.reply(stanza);
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
54 session.send(reply:query("jabber:iq:auth")
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
55 :tag("username"):up()
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
56 :tag("password"):up()
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
57 :tag("resource"):up());
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
58 else
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
59 username, password, resource = t_concat(username), t_concat(password), t_concat(resource);
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
60 username = nodeprep(username);
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
61 resource = resourceprep(resource)
5083
4629c60a303b mod_legacyauth: Return an error if username or resource fails stringprep (thanks iron)
Kim Alvefur <zash@zash.se>
parents: 4258
diff changeset
62 if not (username and resource) then
4629c60a303b mod_legacyauth: Return an error if username or resource fails stringprep (thanks iron)
Kim Alvefur <zash@zash.se>
parents: 4258
diff changeset
63 session.send(st.error_reply(stanza, "modify", "bad-request"));
4629c60a303b mod_legacyauth: Return an error if username or resource fails stringprep (thanks iron)
Kim Alvefur <zash@zash.se>
parents: 4258
diff changeset
64 return true;
4629c60a303b mod_legacyauth: Return an error if username or resource fails stringprep (thanks iron)
Kim Alvefur <zash@zash.se>
parents: 4258
diff changeset
65 end
3527
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
66 if usermanager.test_password(username, session.host, password) then
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
67 -- Authentication successful!
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
68 local success, err = sessionmanager.make_authenticated(session, username);
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
69 if success then
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
70 local err_type, err_msg;
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
71 success, err_type, err, err_msg = sessionmanager.bind_resource(session, resource);
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
72 if not success then
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
73 session.send(st.error_reply(stanza, err_type, err, err_msg));
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
74 session.username, session.type = nil, "c2s_unauthed"; -- FIXME should this be placed in sessionmanager?
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
75 return true;
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
76 elseif resource ~= session.resource then -- server changed resource, not supported by legacy auth
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
77 session.send(st.error_reply(stanza, "cancel", "conflict", "The requested resource could not be assigned to this session."));
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
78 session:close(); -- FIXME undo resource bind and auth instead of closing the session?
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
79 return true;
30
bcf539295f2d Huge commit to:
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
80 end
bcf539295f2d Huge commit to:
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
81 end
3527
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
82 session.send(st.reply(stanza));
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
83 else
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
84 session.send(st.error_reply(stanza, "auth", "not-authorized"));
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
85 end
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
86 end
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
87 return true;
59cdb9166bd0 mod_legacyauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3395
diff changeset
88 end);