Software / code / prosody
Annotate
plugins/mod_saslauth.lua @ 13262:9a86e7cbdd79
mod_storage_internal: Fix fast trimming of archive with exactly one item
This method would previously never delete the first (and only) item
since it works out which item should become the first item after the
trim operation, which doesn't make sense when all should be removed.
This also works as an optimization for when all the last item should be
trimmed, thus items should be removed.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 24 Sep 2023 13:41:54 +0200 |
| parent | 12977:74b9e05af71e |
| rev | line source |
|---|---|
|
1523
841d61be198f
Remove version number from copyright headers
Matthew Wild <mwild1@gmail.com>
parents:
1486
diff
changeset
|
1 -- Prosody IM |
|
2923
b7049746bd29
Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents:
2877
diff
changeset
|
2 -- Copyright (C) 2008-2010 Matthew Wild |
|
b7049746bd29
Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents:
2877
diff
changeset
|
3 -- Copyright (C) 2008-2010 Waqas Hussain |
|
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5535
diff
changeset
|
4 -- |
| 758 | 5 -- This project is MIT/X11 licensed. Please see the |
| 6 -- COPYING file in the source package for more information. | |
|
519
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
449
diff
changeset
|
7 -- |
|
7899
2b3d0ab67f7d
mod_saslauth: Ignore shadowing of logger [luacheck]
Kim Alvefur <zash@zash.se>
parents:
7897
diff
changeset
|
8 -- luacheck: ignore 431/log |
|
519
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
449
diff
changeset
|
9 |
| 38 | 10 |
|
12977
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12912
diff
changeset
|
11 local st = require "prosody.util.stanza"; |
|
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12912
diff
changeset
|
12 local sm_bind_resource = require "prosody.core.sessionmanager".bind_resource; |
|
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12912
diff
changeset
|
13 local sm_make_authenticated = require "prosody.core.sessionmanager".make_authenticated; |
|
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12912
diff
changeset
|
14 local base64 = require "prosody.util.encodings".base64; |
|
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12912
diff
changeset
|
15 local set = require "prosody.util.set"; |
|
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12912
diff
changeset
|
16 local errors = require "prosody.util.error"; |
| 38 | 17 |
|
12977
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12912
diff
changeset
|
18 local usermanager_get_sasl_handler = require "prosody.core.usermanager".get_sasl_handler; |
| 38 | 19 |
|
12330
38b5b05407be
various: Require encryption by default for real
Kim Alvefur <zash@zash.se>
parents:
11526
diff
changeset
|
20 local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", true)); |
|
6488
c91193b7e72c
mod_saslauth: Use type-specific config option getters
Kim Alvefur <zash@zash.se>
parents:
6487
diff
changeset
|
21 local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false) |
|
6493
4e51b5e81bdd
mod_saslauth: Better name for config option
Kim Alvefur <zash@zash.se>
parents:
6492
diff
changeset
|
22 local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"}); |
|
7298
7056bbaf81ee
mod_saslauth: Disable DIGEST-MD5 by default (closes #515)
Kim Alvefur <zash@zash.se>
parents:
6519
diff
changeset
|
23 local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" }); |
|
3066
5e5137057b5f
mod_saslauth: Split out cyrus SASL config options into locals, and add support for cyrus_application_name (default: 'prosody')
Matthew Wild <mwild1@gmail.com>
parents:
3064
diff
changeset
|
24 |
|
1071
216f9a9001f1
mod_saslauth: Use module logger instead of creating a new one
Matthew Wild <mwild1@gmail.com>
parents:
1042
diff
changeset
|
25 local log = module._log; |
| 38 | 26 |
| 27 local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl'; | |
|
46
d6b3f9dbb624
Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents:
38
diff
changeset
|
28 local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind'; |
| 38 | 29 |
|
292
33175ad2f682
Started using realm in password hashing, and added support for error message replies from sasl
Waqas Hussain <waqas20@gmail.com>
parents:
291
diff
changeset
|
30 local function build_reply(status, ret, err_msg) |
|
281
826308c07627
mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents:
120
diff
changeset
|
31 local reply = st.stanza(status, {xmlns = xmlns_sasl}); |
|
6427
7653bbd5247e
mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents:
6425
diff
changeset
|
32 if status == "failure" then |
|
281
826308c07627
mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents:
120
diff
changeset
|
33 reply:tag(ret):up(); |
|
293
b446de4e258e
base64 encode the sasl responses
Waqas Hussain <waqas20@gmail.com>
parents:
292
diff
changeset
|
34 if err_msg then reply:tag("text"):text(err_msg); end |
|
6427
7653bbd5247e
mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents:
6425
diff
changeset
|
35 elseif status == "challenge" or status == "success" then |
|
7653bbd5247e
mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents:
6425
diff
changeset
|
36 if ret == "" then |
|
7653bbd5247e
mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents:
6425
diff
changeset
|
37 reply:text("=") |
|
7653bbd5247e
mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents:
6425
diff
changeset
|
38 elseif ret then |
|
7653bbd5247e
mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents:
6425
diff
changeset
|
39 reply:text(base64.encode(ret)); |
|
7653bbd5247e
mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents:
6425
diff
changeset
|
40 end |
|
281
826308c07627
mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents:
120
diff
changeset
|
41 else |
|
1073
7c20373d4451
mod_saslauth: Remove 2 instances of raising errors and replacing with more graceful handling
Matthew Wild <mwild1@gmail.com>
parents:
1072
diff
changeset
|
42 module:log("error", "Unknown sasl status: %s", status); |
|
281
826308c07627
mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents:
120
diff
changeset
|
43 end |
|
826308c07627
mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents:
120
diff
changeset
|
44 return reply; |
|
826308c07627
mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents:
120
diff
changeset
|
45 end |
|
826308c07627
mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents:
120
diff
changeset
|
46 |
|
3062
892c49869293
mod_saslauth: Add return value and error message to the Cyrus SASL handle_status callback
Matthew Wild <mwild1@gmail.com>
parents:
3061
diff
changeset
|
47 local function handle_status(session, status, ret, err_msg) |
|
11512
a2ba6c0ac8ec
mod_saslauth: Improve code style
Kim Alvefur <zash@zash.se>
parents:
11508
diff
changeset
|
48 if not session.sasl_handler then |
|
11513
549c80feede6
mod_saslauth: Use a defined SASL error
Kim Alvefur <zash@zash.se>
parents:
11512
diff
changeset
|
49 return "failure", "temporary-auth-failure", "Connection gone"; |
|
11512
a2ba6c0ac8ec
mod_saslauth: Improve code style
Kim Alvefur <zash@zash.se>
parents:
11508
diff
changeset
|
50 end |
|
281
826308c07627
mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents:
120
diff
changeset
|
51 if status == "failure" then |
|
4361
605045b77bc6
mod_saslauth: Fire authentication-success and authentication-failure events (thanks scitor)
Matthew Wild <mwild1@gmail.com>
parents:
4078
diff
changeset
|
52 module:fire_event("authentication-failure", { session = session, condition = ret, text = err_msg }); |
|
2251
18079ede5b62
mod_saslauth: Fix typo in variable name
Matthew Wild <mwild1@gmail.com>
parents:
2242
diff
changeset
|
53 session.sasl_handler = session.sasl_handler:clean_clone(); |
|
281
826308c07627
mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents:
120
diff
changeset
|
54 elseif status == "success" then |
|
12641
e9865b0cfb89
mod_saslauth: Rename field from 'scope'->'role'
Matthew Wild <mwild1@gmail.com>
parents:
12594
diff
changeset
|
55 local ok, err = sm_make_authenticated(session, session.sasl_handler.username, session.sasl_handler.role); |
|
3468
d50e2c937717
mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents:
3464
diff
changeset
|
56 if ok then |
|
12912
44a78985471f
mod_saslauth: Support for SASL handlers forcing a specific resource
Matthew Wild <mwild1@gmail.com>
parents:
12726
diff
changeset
|
57 session.sasl_resource = session.sasl_handler.resource; |
|
4504
55b61221ecb8
mod_saslauth: Move authentication-success event to after session has been made authenticated.
Kim Alvefur <zash@zash.se>
parents:
4492
diff
changeset
|
58 module:fire_event("authentication-success", { session = session }); |
|
3468
d50e2c937717
mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents:
3464
diff
changeset
|
59 session.sasl_handler = nil; |
|
d50e2c937717
mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents:
3464
diff
changeset
|
60 session:reset_stream(); |
|
3064
596303990c7c
usermanager, mod_saslauth: Make account provisioning for Cyrus SASL optional (default: not required)
Matthew Wild <mwild1@gmail.com>
parents:
3062
diff
changeset
|
61 else |
|
3468
d50e2c937717
mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents:
3464
diff
changeset
|
62 module:log("warn", "SASL succeeded but username was invalid"); |
|
4505
b1e10c327d66
mod_saslauth: Fire authentication-failure if make_authenticated() failed.
Kim Alvefur <zash@zash.se>
parents:
4504
diff
changeset
|
63 module:fire_event("authentication-failure", { session = session, condition = "not-authorized", text = err }); |
|
3064
596303990c7c
usermanager, mod_saslauth: Make account provisioning for Cyrus SASL optional (default: not required)
Matthew Wild <mwild1@gmail.com>
parents:
3062
diff
changeset
|
64 session.sasl_handler = session.sasl_handler:clean_clone(); |
|
3468
d50e2c937717
mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents:
3464
diff
changeset
|
65 return "failure", "not-authorized", "User authenticated successfully, but username was invalid"; |
|
3064
596303990c7c
usermanager, mod_saslauth: Make account provisioning for Cyrus SASL optional (default: not required)
Matthew Wild <mwild1@gmail.com>
parents:
3062
diff
changeset
|
66 end |
|
281
826308c07627
mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents:
120
diff
changeset
|
67 end |
|
3062
892c49869293
mod_saslauth: Add return value and error message to the Cyrus SASL handle_status callback
Matthew Wild <mwild1@gmail.com>
parents:
3061
diff
changeset
|
68 return status, ret, err_msg; |
|
281
826308c07627
mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents:
120
diff
changeset
|
69 end |
|
826308c07627
mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents:
120
diff
changeset
|
70 |
|
3551
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
71 local function sasl_process_cdata(session, stanza) |
|
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
72 local text = stanza[1]; |
|
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
73 if text then |
|
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
74 text = base64.decode(text); |
|
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
75 if not text then |
|
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
76 session.sasl_handler = nil; |
|
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
77 session.send(build_reply("failure", "incorrect-encoding")); |
|
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
78 return true; |
|
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
79 end |
|
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
80 end |
|
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
81 local status, ret, err_msg = session.sasl_handler:process(text); |
|
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
82 status, ret, err_msg = handle_status(session, status, ret, err_msg); |
|
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
83 local s = build_reply(status, ret, err_msg); |
|
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
84 session.send(s); |
|
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
85 return true; |
|
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
86 end |
|
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
87 |
|
8042
5d5afaafac0f
mod_saslauth: Remove unused argument [luacheck]
Kim Alvefur <zash@zash.se>
parents:
7962
diff
changeset
|
88 module:hook_tag(xmlns_sasl, "success", function (session) |
| 3651 | 89 if session.type ~= "s2sout_unauthed" or session.external_auth ~= "attempting" then return; end |
| 90 module:log("debug", "SASL EXTERNAL with %s succeeded", session.to_host); | |
| 91 session.external_auth = "succeeded" | |
| 92 session:reset_stream(); | |
|
5535
0df0afc041d7
mod_saslauth, mod_compression: Fix some cases where open_stream() was not being passed to/from (see df3c78221f26 and issue #338)
Matthew Wild <mwild1@gmail.com>
parents:
5362
diff
changeset
|
93 session:open_stream(session.from_host, session.to_host); |
| 3651 | 94 |
|
11526
15a3db955ad3
s2s et al.: Add counters for connection state transitions
Jonas Schäfer <jonas@wielicki.name>
parents:
11514
diff
changeset
|
95 module:fire_event("s2s-authenticated", { session = session, host = session.to_host, mechanism = "EXTERNAL" }); |
| 3651 | 96 return true; |
| 97 end) | |
| 98 | |
|
7960
9a938b785bc5
mod_saslauth: Switch to hook_tag from hook_stanza which was renamed in 2087d42f1e77
Kim Alvefur <zash@zash.se>
parents:
7940
diff
changeset
|
99 module:hook_tag(xmlns_sasl, "failure", function (session, stanza) |
| 3651 | 100 if session.type ~= "s2sout_unauthed" or session.external_auth ~= "attempting" then return; end |
| 101 | |
|
7939
6940d6db970b
mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents:
6033
diff
changeset
|
102 local text = stanza:get_child_text("text"); |
|
6940d6db970b
mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents:
6033
diff
changeset
|
103 local condition = "unknown-condition"; |
|
6940d6db970b
mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents:
6033
diff
changeset
|
104 for child in stanza:childtags() do |
|
6940d6db970b
mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents:
6033
diff
changeset
|
105 if child.name ~= "text" then |
|
6940d6db970b
mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents:
6033
diff
changeset
|
106 condition = child.name; |
|
6940d6db970b
mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents:
6033
diff
changeset
|
107 break; |
|
6940d6db970b
mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents:
6033
diff
changeset
|
108 end |
|
6940d6db970b
mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents:
6033
diff
changeset
|
109 end |
|
10487
02ccf2fbf000
mod_saslauth: Collect SASL EXTERNAL failures into an util.error object
Kim Alvefur <zash@zash.se>
parents:
10481
diff
changeset
|
110 local err = errors.new({ |
|
02ccf2fbf000
mod_saslauth: Collect SASL EXTERNAL failures into an util.error object
Kim Alvefur <zash@zash.se>
parents:
10481
diff
changeset
|
111 -- TODO type = what? |
|
02ccf2fbf000
mod_saslauth: Collect SASL EXTERNAL failures into an util.error object
Kim Alvefur <zash@zash.se>
parents:
10481
diff
changeset
|
112 text = text, |
|
02ccf2fbf000
mod_saslauth: Collect SASL EXTERNAL failures into an util.error object
Kim Alvefur <zash@zash.se>
parents:
10481
diff
changeset
|
113 condition = condition, |
|
02ccf2fbf000
mod_saslauth: Collect SASL EXTERNAL failures into an util.error object
Kim Alvefur <zash@zash.se>
parents:
10481
diff
changeset
|
114 }, { |
|
02ccf2fbf000
mod_saslauth: Collect SASL EXTERNAL failures into an util.error object
Kim Alvefur <zash@zash.se>
parents:
10481
diff
changeset
|
115 session = session, |
|
02ccf2fbf000
mod_saslauth: Collect SASL EXTERNAL failures into an util.error object
Kim Alvefur <zash@zash.se>
parents:
10481
diff
changeset
|
116 stanza = stanza, |
|
02ccf2fbf000
mod_saslauth: Collect SASL EXTERNAL failures into an util.error object
Kim Alvefur <zash@zash.se>
parents:
10481
diff
changeset
|
117 }); |
|
02ccf2fbf000
mod_saslauth: Collect SASL EXTERNAL failures into an util.error object
Kim Alvefur <zash@zash.se>
parents:
10481
diff
changeset
|
118 |
|
02ccf2fbf000
mod_saslauth: Collect SASL EXTERNAL failures into an util.error object
Kim Alvefur <zash@zash.se>
parents:
10481
diff
changeset
|
119 module:log("info", "SASL EXTERNAL with %s failed: %s", session.to_host, err); |
|
7939
6940d6db970b
mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents:
6033
diff
changeset
|
120 |
| 3651 | 121 session.external_auth = "failed" |
|
10487
02ccf2fbf000
mod_saslauth: Collect SASL EXTERNAL failures into an util.error object
Kim Alvefur <zash@zash.se>
parents:
10481
diff
changeset
|
122 session.external_auth_failure_reason = err; |
| 3651 | 123 end, 500) |
| 124 | |
|
8513
c6be9bbd0a1a
mod_saslauth: Ignore unused argument [luacheck]
Kim Alvefur <zash@zash.se>
parents:
8512
diff
changeset
|
125 module:hook_tag(xmlns_sasl, "failure", function (session, stanza) -- luacheck: ignore 212/stanza |
|
8510
149e98f88680
mod_saslauth: Close connection if no fallback kicks in on SASL EXTERNAL failure
Kim Alvefur <zash@zash.se>
parents:
8509
diff
changeset
|
126 session.log("debug", "No fallback from SASL EXTERNAL failure, giving up"); |
|
10488
03ff1e614b4d
mod_saslauth: Set a nicer bounce error explaining SASL EXTERNAL failures
Kim Alvefur <zash@zash.se>
parents:
10487
diff
changeset
|
127 session:close(nil, session.external_auth_failure_reason, errors.new({ |
|
03ff1e614b4d
mod_saslauth: Set a nicer bounce error explaining SASL EXTERNAL failures
Kim Alvefur <zash@zash.se>
parents:
10487
diff
changeset
|
128 type = "wait", condition = "remote-server-timeout", |
|
03ff1e614b4d
mod_saslauth: Set a nicer bounce error explaining SASL EXTERNAL failures
Kim Alvefur <zash@zash.se>
parents:
10487
diff
changeset
|
129 text = "Could not authenticate to remote server", |
|
03ff1e614b4d
mod_saslauth: Set a nicer bounce error explaining SASL EXTERNAL failures
Kim Alvefur <zash@zash.se>
parents:
10487
diff
changeset
|
130 }, { session = session, sasl_failure = session.external_auth_failure_reason, })); |
|
8510
149e98f88680
mod_saslauth: Close connection if no fallback kicks in on SASL EXTERNAL failure
Kim Alvefur <zash@zash.se>
parents:
8509
diff
changeset
|
131 return true; |
|
8509
e1d274001855
Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly been resolved and this change causes more problems than it solves (fixes #1006)
Kim Alvefur <zash@zash.se>
parents:
8479
diff
changeset
|
132 end, 90) |
|
e1d274001855
Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly been resolved and this change causes more problems than it solves (fixes #1006)
Kim Alvefur <zash@zash.se>
parents:
8479
diff
changeset
|
133 |
|
7960
9a938b785bc5
mod_saslauth: Switch to hook_tag from hook_stanza which was renamed in 2087d42f1e77
Kim Alvefur <zash@zash.se>
parents:
7940
diff
changeset
|
134 module:hook_tag("http://etherx.jabber.org/streams", "features", function (session, stanza) |
| 3651 | 135 if session.type ~= "s2sout_unauthed" or not session.secure then return; end |
| 136 | |
| 137 local mechanisms = stanza:get_child("mechanisms", xmlns_sasl) | |
| 138 if mechanisms then | |
| 139 for mech in mechanisms:childtags() do | |
| 140 if mech[1] == "EXTERNAL" then | |
| 141 module:log("debug", "Initiating SASL EXTERNAL with %s", session.to_host); | |
| 142 local reply = st.stanza("auth", {xmlns = xmlns_sasl, mechanism = "EXTERNAL"}); | |
| 143 reply:text(base64.encode(session.from_host)) | |
| 144 session.sends2s(reply) | |
| 145 session.external_auth = "attempting" | |
| 146 return true | |
| 147 end | |
| 148 end | |
| 149 end | |
| 150 end, 150); | |
| 151 | |
| 152 local function s2s_external_auth(session, stanza) | |
|
6425
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
153 if session.external_auth ~= "offered" then return end -- Unexpected request |
|
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
154 |
| 3651 | 155 local mechanism = stanza.attr.mechanism; |
| 156 | |
|
6425
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
157 if mechanism ~= "EXTERNAL" then |
|
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
158 session.sends2s(build_reply("failure", "invalid-mechanism")); |
| 3651 | 159 return true; |
| 160 end | |
| 161 | |
|
6425
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
162 if not session.secure then |
|
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
163 session.sends2s(build_reply("failure", "encryption-required")); |
| 3651 | 164 return true; |
| 165 end | |
| 166 | |
|
6425
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
167 local text = stanza[1]; |
| 3651 | 168 if not text then |
|
6425
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
169 session.sends2s(build_reply("failure", "malformed-request")); |
| 3651 | 170 return true; |
| 171 end | |
| 172 | |
|
6425
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
173 text = base64.decode(text); |
|
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
174 if not text then |
|
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
175 session.sends2s(build_reply("failure", "incorrect-encoding")); |
|
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
176 return true; |
|
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
177 end |
| 3651 | 178 |
|
6425
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
179 -- The text value is either "" or equals session.from_host |
|
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
180 if not ( text == "" or text == session.from_host ) then |
|
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
181 session.sends2s(build_reply("failure", "invalid-authzid")); |
|
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
182 return true; |
| 3651 | 183 end |
| 184 | |
|
6425
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
185 -- We've already verified the external cert identity before offering EXTERNAL |
|
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
186 if session.cert_chain_status ~= "valid" or session.cert_identity_status ~= "valid" then |
|
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
187 session.sends2s(build_reply("failure", "not-authorized")); |
|
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
188 session:close(); |
|
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
189 return true; |
| 3651 | 190 end |
|
4492
0a4781f165e3
mod_saslauth: "" ~= nil (thanks, Zash!)
Paul Aurich <paul@darkrain42.org>
parents:
4395
diff
changeset
|
191 |
|
6425
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
192 -- Success! |
|
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
193 session.external_auth = "succeeded"; |
|
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
194 session.sends2s(build_reply("success")); |
|
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
195 module:log("info", "Accepting SASL EXTERNAL identity from %s", session.from_host); |
|
11526
15a3db955ad3
s2s et al.: Add counters for connection state transitions
Jonas Schäfer <jonas@wielicki.name>
parents:
11514
diff
changeset
|
196 module:fire_event("s2s-authenticated", { session = session, host = session.from_host, mechanism = mechanism }); |
| 3651 | 197 session:reset_stream(); |
|
6425
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
198 return true; |
| 3651 | 199 end |
| 200 | |
|
3552
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
201 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function(event) |
|
3535
b953b0c0f203
mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
3524
diff
changeset
|
202 local session, stanza = event.origin, event.stanza; |
| 3651 | 203 if session.type == "s2sin_unauthed" then |
| 204 return s2s_external_auth(session, stanza) | |
| 205 end | |
| 206 | |
|
6033
0d6f23049e95
mod_saslauth: Only do c2s SASL on normal VirtualHosts
Kim Alvefur <zash@zash.se>
parents:
5535
diff
changeset
|
207 if session.type ~= "c2s_unauthed" or module:get_host_type() ~= "local" then return; end |
|
3535
b953b0c0f203
mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
3524
diff
changeset
|
208 |
|
3553
1f0af8572f15
mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents:
3552
diff
changeset
|
209 if session.sasl_handler and session.sasl_handler.selected then |
|
1f0af8572f15
mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents:
3552
diff
changeset
|
210 session.sasl_handler = nil; -- allow starting a new SASL negotiation before completing an old one |
|
1f0af8572f15
mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents:
3552
diff
changeset
|
211 end |
|
1f0af8572f15
mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents:
3552
diff
changeset
|
212 if not session.sasl_handler then |
|
4939
0545a574667b
mod_saslauth: Pass session to usermanager.get_sasl_handler()
Matthew Wild <mwild1@gmail.com>
parents:
4754
diff
changeset
|
213 session.sasl_handler = usermanager_get_sasl_handler(module.host, session); |
|
3553
1f0af8572f15
mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents:
3552
diff
changeset
|
214 end |
|
3552
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
215 local mechanism = stanza.attr.mechanism; |
|
6490
8ad74f48b2aa
mod_saslauth: Use a configurable set of mechanisms to not allow over unencrypted connections
Kim Alvefur <zash@zash.se>
parents:
6489
diff
changeset
|
216 if not session.secure and (secure_auth_only or insecure_mechanisms:contains(mechanism)) then |
|
3552
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
217 session.send(build_reply("failure", "encryption-required")); |
|
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
218 return true; |
|
6492
0d07fdc07d8c
mod_saslauth: Make it possible to disable certain mechanisms
Kim Alvefur <zash@zash.se>
parents:
6491
diff
changeset
|
219 elseif disabled_mechanisms:contains(mechanism) then |
|
0d07fdc07d8c
mod_saslauth: Make it possible to disable certain mechanisms
Kim Alvefur <zash@zash.se>
parents:
6491
diff
changeset
|
220 session.send(build_reply("failure", "invalid-mechanism")); |
|
0d07fdc07d8c
mod_saslauth: Make it possible to disable certain mechanisms
Kim Alvefur <zash@zash.se>
parents:
6491
diff
changeset
|
221 return true; |
|
3552
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
222 end |
|
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
223 local valid_mechanism = session.sasl_handler:select(mechanism); |
|
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
224 if not valid_mechanism then |
|
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
225 session.send(build_reply("failure", "invalid-mechanism")); |
|
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
226 return true; |
|
295
bb078eb1f1de
mod_saslauth: Code cleanup
Waqas Hussain <waqas20@gmail.com>
parents:
293
diff
changeset
|
227 end |
|
3551
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
228 return sasl_process_cdata(session, stanza); |
|
3552
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
229 end); |
|
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
230 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:response", function(event) |
|
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
231 local session = event.origin; |
|
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
232 if not(session.sasl_handler and session.sasl_handler.selected) then |
|
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
233 session.send(build_reply("failure", "not-authorized", "Out of order SASL element")); |
|
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
234 return true; |
|
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
235 end |
|
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
236 return sasl_process_cdata(session, event.stanza); |
|
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
237 end); |
|
3548
cd8d1cacc65b
mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents:
3535
diff
changeset
|
238 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:abort", function(event) |
|
cd8d1cacc65b
mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents:
3535
diff
changeset
|
239 local session = event.origin; |
|
cd8d1cacc65b
mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents:
3535
diff
changeset
|
240 session.sasl_handler = nil; |
|
cd8d1cacc65b
mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents:
3535
diff
changeset
|
241 session.send(build_reply("failure", "aborted")); |
|
cd8d1cacc65b
mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents:
3535
diff
changeset
|
242 return true; |
|
cd8d1cacc65b
mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents:
3535
diff
changeset
|
243 end); |
|
284
4f540755260c
mod_saslauth: Added base64 decoding, encoding check, and cleaned the code up.
Waqas Hussain <waqas20@gmail.com>
parents:
281
diff
changeset
|
244 |
|
6518
c0d221b0c94c
mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents:
6517
diff
changeset
|
245 local function tls_unique(self) |
|
12480
7e9ebdc75ce4
net: isolate LuaSec-specifics
Jonas Schäfer <jonas@wielicki.name>
parents:
12333
diff
changeset
|
246 return self.userdata["tls-unique"]:ssl_peerfinished(); |
|
6518
c0d221b0c94c
mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents:
6517
diff
changeset
|
247 end |
|
c0d221b0c94c
mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents:
6517
diff
changeset
|
248 |
|
12594
29685403be32
mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760)
Kim Alvefur <zash@zash.se>
parents:
12541
diff
changeset
|
249 local function tls_exporter(conn) |
|
29685403be32
mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760)
Kim Alvefur <zash@zash.se>
parents:
12541
diff
changeset
|
250 if not conn.ssl_exportkeyingmaterial then return end |
|
29685403be32
mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760)
Kim Alvefur <zash@zash.se>
parents:
12541
diff
changeset
|
251 return conn:ssl_exportkeyingmaterial("EXPORTER-Channel-Binding", 32, ""); |
|
29685403be32
mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760)
Kim Alvefur <zash@zash.se>
parents:
12541
diff
changeset
|
252 end |
|
29685403be32
mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760)
Kim Alvefur <zash@zash.se>
parents:
12541
diff
changeset
|
253 |
|
29685403be32
mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760)
Kim Alvefur <zash@zash.se>
parents:
12541
diff
changeset
|
254 local function sasl_tls_exporter(self) |
|
29685403be32
mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760)
Kim Alvefur <zash@zash.se>
parents:
12541
diff
changeset
|
255 return tls_exporter(self.userdata["tls-exporter"]); |
|
29685403be32
mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760)
Kim Alvefur <zash@zash.se>
parents:
12541
diff
changeset
|
256 end |
|
29685403be32
mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760)
Kim Alvefur <zash@zash.se>
parents:
12541
diff
changeset
|
257 |
|
357
17bcecb06420
Use a stanza for c2s stream features instead of an array of strings. Removes a FIXME.
Matthew Wild <mwild1@gmail.com>
parents:
313
diff
changeset
|
258 local mechanisms_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-sasl' }; |
|
17bcecb06420
Use a stanza for c2s stream features instead of an array of strings. Removes a FIXME.
Matthew Wild <mwild1@gmail.com>
parents:
313
diff
changeset
|
259 local bind_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-bind' }; |
|
17bcecb06420
Use a stanza for c2s stream features instead of an array of strings. Removes a FIXME.
Matthew Wild <mwild1@gmail.com>
parents:
313
diff
changeset
|
260 local xmpp_session_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-session' }; |
|
2612
475552b04151
mod_saslauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2451
diff
changeset
|
261 module:hook("stream-features", function(event) |
|
475552b04151
mod_saslauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2451
diff
changeset
|
262 local origin, features = event.origin, event.features; |
|
7896
1a2674123c1c
mod_saslauth: Cache logger in local for less typing
Kim Alvefur <zash@zash.se>
parents:
7784
diff
changeset
|
263 local log = origin.log or log; |
|
2612
475552b04151
mod_saslauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2451
diff
changeset
|
264 if not origin.username then |
|
475552b04151
mod_saslauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2451
diff
changeset
|
265 if secure_auth_only and not origin.secure then |
|
7897
08bde6a6fd56
mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents:
7896
diff
changeset
|
266 log("debug", "Not offering authentication on insecure connection"); |
|
2451
d2f747920eaf
mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents:
2450
diff
changeset
|
267 return; |
|
d2f747920eaf
mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents:
2450
diff
changeset
|
268 end |
|
6517
e733e98a348a
mod_saslauth: Keep sasl_handler in a local variable
Kim Alvefur <zash@zash.se>
parents:
6493
diff
changeset
|
269 local sasl_handler = usermanager_get_sasl_handler(module.host, origin) |
|
e733e98a348a
mod_saslauth: Keep sasl_handler in a local variable
Kim Alvefur <zash@zash.se>
parents:
6493
diff
changeset
|
270 origin.sasl_handler = sasl_handler; |
|
12541
97af41d580f7
mod_saslauth: Advertise channel bindings via XEP-0440
Kim Alvefur <zash@zash.se>
parents:
12480
diff
changeset
|
271 local channel_bindings = set.new() |
|
5860
87e2fafba5df
mod_saslauth: Collect data for channel binding only if we know for sure that the stream is encrypted
Kim Alvefur <zash@zash.se>
parents:
5843
diff
changeset
|
272 if origin.encrypted then |
|
9993
02a41315d275
Fix various spelling mistakes [codespell]
Kim Alvefur <zash@zash.se>
parents:
9738
diff
changeset
|
273 -- check whether LuaSec has the nifty binding to the function needed for tls-unique |
|
5838
a2659baf8332
mod_saslauth: Check whether LuaSec supports getpeerfinished() binding.
Tobias Markmann <tm@ayena.de>
parents:
5834
diff
changeset
|
274 -- FIXME: would be nice to have this check only once and not for every socket |
|
6518
c0d221b0c94c
mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents:
6517
diff
changeset
|
275 if sasl_handler.add_cb_handler then |
|
12480
7e9ebdc75ce4
net: isolate LuaSec-specifics
Jonas Schäfer <jonas@wielicki.name>
parents:
12333
diff
changeset
|
276 local info = origin.conn:ssl_info(); |
|
7e9ebdc75ce4
net: isolate LuaSec-specifics
Jonas Schäfer <jonas@wielicki.name>
parents:
12333
diff
changeset
|
277 if info and info.protocol == "TLSv1.3" then |
|
11212
1bfd238e05ad
mod_saslauth: Disable 'tls-unique' channel binding with TLS 1.3 (closes #1542)
Kim Alvefur <zash@zash.se>
parents:
8513
diff
changeset
|
278 log("debug", "Channel binding 'tls-unique' undefined in context of TLS 1.3"); |
|
12594
29685403be32
mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760)
Kim Alvefur <zash@zash.se>
parents:
12541
diff
changeset
|
279 if tls_exporter(origin.conn) then |
|
29685403be32
mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760)
Kim Alvefur <zash@zash.se>
parents:
12541
diff
changeset
|
280 log("debug", "Channel binding 'tls-exporter' supported"); |
|
29685403be32
mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760)
Kim Alvefur <zash@zash.se>
parents:
12541
diff
changeset
|
281 sasl_handler:add_cb_handler("tls-exporter", sasl_tls_exporter); |
|
29685403be32
mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760)
Kim Alvefur <zash@zash.se>
parents:
12541
diff
changeset
|
282 channel_bindings:add("tls-exporter"); |
|
29685403be32
mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760)
Kim Alvefur <zash@zash.se>
parents:
12541
diff
changeset
|
283 end |
|
12480
7e9ebdc75ce4
net: isolate LuaSec-specifics
Jonas Schäfer <jonas@wielicki.name>
parents:
12333
diff
changeset
|
284 elseif origin.conn.ssl_peerfinished and origin.conn:ssl_peerfinished() then |
|
10337
39111f0e83d0
mod_saslauth: Log (debug) messages about channel binding
Kim Alvefur <zash@zash.se>
parents:
10334
diff
changeset
|
285 log("debug", "Channel binding 'tls-unique' supported"); |
|
6518
c0d221b0c94c
mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents:
6517
diff
changeset
|
286 sasl_handler:add_cb_handler("tls-unique", tls_unique); |
|
12541
97af41d580f7
mod_saslauth: Advertise channel bindings via XEP-0440
Kim Alvefur <zash@zash.se>
parents:
12480
diff
changeset
|
287 channel_bindings:add("tls-unique"); |
|
10337
39111f0e83d0
mod_saslauth: Log (debug) messages about channel binding
Kim Alvefur <zash@zash.se>
parents:
10334
diff
changeset
|
288 else |
|
39111f0e83d0
mod_saslauth: Log (debug) messages about channel binding
Kim Alvefur <zash@zash.se>
parents:
10334
diff
changeset
|
289 log("debug", "Channel binding 'tls-unique' not supported (by LuaSec?)"); |
|
6518
c0d221b0c94c
mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents:
6517
diff
changeset
|
290 end |
|
6519
367db22cf7d2
mod_saslauth: Make it easier to support multiple channel binding methonds
Kim Alvefur <zash@zash.se>
parents:
6518
diff
changeset
|
291 sasl_handler["userdata"] = { |
|
12480
7e9ebdc75ce4
net: isolate LuaSec-specifics
Jonas Schäfer <jonas@wielicki.name>
parents:
12333
diff
changeset
|
292 ["tls-unique"] = origin.conn; |
|
12594
29685403be32
mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760)
Kim Alvefur <zash@zash.se>
parents:
12541
diff
changeset
|
293 ["tls-exporter"] = origin.conn; |
|
6519
367db22cf7d2
mod_saslauth: Make it easier to support multiple channel binding methonds
Kim Alvefur <zash@zash.se>
parents:
6518
diff
changeset
|
294 }; |
|
10337
39111f0e83d0
mod_saslauth: Log (debug) messages about channel binding
Kim Alvefur <zash@zash.se>
parents:
10334
diff
changeset
|
295 else |
|
39111f0e83d0
mod_saslauth: Log (debug) messages about channel binding
Kim Alvefur <zash@zash.se>
parents:
10334
diff
changeset
|
296 log("debug", "Channel binding not supported by SASL handler"); |
|
5838
a2659baf8332
mod_saslauth: Check whether LuaSec supports getpeerfinished() binding.
Tobias Markmann <tm@ayena.de>
parents:
5834
diff
changeset
|
297 end |
|
5832
7d100d917243
mod_saslauth: Set secure socket as SASL object user data for secure sessions.
Tobias Markmann <tm@ayena.de>
parents:
3983
diff
changeset
|
298 end |
|
4395
d322c4553f97
mod_saslauth: Never send empty <mechanisms/>, for real this time.
Waqas Hussain <waqas20@gmail.com>
parents:
4392
diff
changeset
|
299 local mechanisms = st.stanza("mechanisms", mechanisms_attr); |
|
7897
08bde6a6fd56
mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents:
7896
diff
changeset
|
300 local sasl_mechanisms = sasl_handler:mechanisms() |
|
10338
56a0f68b7797
mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents:
10337
diff
changeset
|
301 local available_mechanisms = set.new(); |
|
7897
08bde6a6fd56
mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents:
7896
diff
changeset
|
302 for mechanism in pairs(sasl_mechanisms) do |
|
10338
56a0f68b7797
mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents:
10337
diff
changeset
|
303 available_mechanisms:add(mechanism); |
|
56a0f68b7797
mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents:
10337
diff
changeset
|
304 end |
|
56a0f68b7797
mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents:
10337
diff
changeset
|
305 log("debug", "SASL mechanisms supported by handler: %s", available_mechanisms); |
|
56a0f68b7797
mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents:
10337
diff
changeset
|
306 |
|
56a0f68b7797
mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents:
10337
diff
changeset
|
307 local usable_mechanisms = available_mechanisms - disabled_mechanisms; |
|
56a0f68b7797
mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents:
10337
diff
changeset
|
308 |
|
56a0f68b7797
mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents:
10337
diff
changeset
|
309 local available_disabled = set.intersection(available_mechanisms, disabled_mechanisms); |
|
56a0f68b7797
mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents:
10337
diff
changeset
|
310 if not available_disabled:empty() then |
|
56a0f68b7797
mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents:
10337
diff
changeset
|
311 log("debug", "Not offering disabled mechanisms: %s", available_disabled); |
|
56a0f68b7797
mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents:
10337
diff
changeset
|
312 end |
|
56a0f68b7797
mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents:
10337
diff
changeset
|
313 |
|
56a0f68b7797
mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents:
10337
diff
changeset
|
314 local available_insecure = set.intersection(available_mechanisms, insecure_mechanisms); |
|
56a0f68b7797
mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents:
10337
diff
changeset
|
315 if not origin.secure and not available_insecure:empty() then |
|
56a0f68b7797
mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents:
10337
diff
changeset
|
316 log("debug", "Session is not secure, not offering insecure mechanisms: %s", available_insecure); |
|
56a0f68b7797
mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents:
10337
diff
changeset
|
317 usable_mechanisms = usable_mechanisms - insecure_mechanisms; |
|
56a0f68b7797
mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents:
10337
diff
changeset
|
318 end |
|
56a0f68b7797
mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents:
10337
diff
changeset
|
319 |
|
56a0f68b7797
mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents:
10337
diff
changeset
|
320 if not usable_mechanisms:empty() then |
|
56a0f68b7797
mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents:
10337
diff
changeset
|
321 log("debug", "Offering usable mechanisms: %s", usable_mechanisms); |
|
10481
7a3c04789d5c
mod_saslauth: Advertise correct set of mechanisms
Kim Alvefur <zash@zash.se>
parents:
10340
diff
changeset
|
322 for mechanism in usable_mechanisms do |
|
4395
d322c4553f97
mod_saslauth: Never send empty <mechanisms/>, for real this time.
Waqas Hussain <waqas20@gmail.com>
parents:
4392
diff
changeset
|
323 mechanisms:tag("mechanism"):text(mechanism):up(); |
|
3417
53e854b52110
mod_saslauth: Check for unencrypted PLAIN auth in mod_saslauth instead of the SASL handler (makes it work for Cyrus SASL).
Waqas Hussain <waqas20@gmail.com>
parents:
3416
diff
changeset
|
324 end |
|
12726
9f100ab9ffdf
mod_saslauth: Put <sasl-channel-binding> in stream:features per XEP-0440 0.4.0
Matthew Wild <mwild1@gmail.com>
parents:
12721
diff
changeset
|
325 features:add_child(mechanisms); |
|
12541
97af41d580f7
mod_saslauth: Advertise channel bindings via XEP-0440
Kim Alvefur <zash@zash.se>
parents:
12480
diff
changeset
|
326 if not channel_bindings:empty() then |
|
97af41d580f7
mod_saslauth: Advertise channel bindings via XEP-0440
Kim Alvefur <zash@zash.se>
parents:
12480
diff
changeset
|
327 -- XXX XEP-0440 is Experimental |
|
12726
9f100ab9ffdf
mod_saslauth: Put <sasl-channel-binding> in stream:features per XEP-0440 0.4.0
Matthew Wild <mwild1@gmail.com>
parents:
12721
diff
changeset
|
328 features:tag("sasl-channel-binding", {xmlns='urn:xmpp:sasl-cb:0'}) |
|
12541
97af41d580f7
mod_saslauth: Advertise channel bindings via XEP-0440
Kim Alvefur <zash@zash.se>
parents:
12480
diff
changeset
|
329 for channel_binding in channel_bindings do |
|
12726
9f100ab9ffdf
mod_saslauth: Put <sasl-channel-binding> in stream:features per XEP-0440 0.4.0
Matthew Wild <mwild1@gmail.com>
parents:
12721
diff
changeset
|
330 features:tag("channel-binding", {type=channel_binding}):up() |
|
12541
97af41d580f7
mod_saslauth: Advertise channel bindings via XEP-0440
Kim Alvefur <zash@zash.se>
parents:
12480
diff
changeset
|
331 end |
|
12726
9f100ab9ffdf
mod_saslauth: Put <sasl-channel-binding> in stream:features per XEP-0440 0.4.0
Matthew Wild <mwild1@gmail.com>
parents:
12721
diff
changeset
|
332 features:up(); |
|
12541
97af41d580f7
mod_saslauth: Advertise channel bindings via XEP-0440
Kim Alvefur <zash@zash.se>
parents:
12480
diff
changeset
|
333 end |
|
10338
56a0f68b7797
mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents:
10337
diff
changeset
|
334 return; |
|
2451
d2f747920eaf
mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents:
2450
diff
changeset
|
335 end |
|
10339
8b06d2d51e04
mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents:
10338
diff
changeset
|
336 |
|
12333
ed8a4f8dfd27
usermanager, mod_saslauth: Default to internal_hashed if no auth module specified
Matthew Wild <mwild1@gmail.com>
parents:
12330
diff
changeset
|
337 local authmod = module:get_option_string("authentication", "internal_hashed"); |
|
10339
8b06d2d51e04
mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents:
10338
diff
changeset
|
338 if available_mechanisms:empty() then |
|
10340
5c6912289ce3
mod_saslauth: Demote "no SASL mechanisms" error back to warning
Kim Alvefur <zash@zash.se>
parents:
10339
diff
changeset
|
339 log("warn", "No available SASL mechanisms, verify that the configured authentication module '%s' is loaded and configured correctly", authmod); |
|
10339
8b06d2d51e04
mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents:
10338
diff
changeset
|
340 return; |
|
6489
1f07c72112d2
mod_saslauth: Log warning if no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents:
6488
diff
changeset
|
341 end |
|
10339
8b06d2d51e04
mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents:
10338
diff
changeset
|
342 |
|
8b06d2d51e04
mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents:
10338
diff
changeset
|
343 if not origin.secure and not available_insecure:empty() then |
|
8b06d2d51e04
mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents:
10338
diff
changeset
|
344 if not available_disabled:empty() then |
|
10340
5c6912289ce3
mod_saslauth: Demote "no SASL mechanisms" error back to warning
Kim Alvefur <zash@zash.se>
parents:
10339
diff
changeset
|
345 log("warn", "All SASL mechanisms provided by authentication module '%s' are forbidden on insecure connections (%s) or disabled (%s)", |
|
10339
8b06d2d51e04
mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents:
10338
diff
changeset
|
346 authmod, available_insecure, available_disabled); |
|
8b06d2d51e04
mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents:
10338
diff
changeset
|
347 else |
|
10340
5c6912289ce3
mod_saslauth: Demote "no SASL mechanisms" error back to warning
Kim Alvefur <zash@zash.se>
parents:
10339
diff
changeset
|
348 log("warn", "All SASL mechanisms provided by authentication module '%s' are forbidden on insecure connections (%s)", |
|
10339
8b06d2d51e04
mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents:
10338
diff
changeset
|
349 authmod, available_insecure); |
|
8b06d2d51e04
mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents:
10338
diff
changeset
|
350 end |
|
8b06d2d51e04
mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents:
10338
diff
changeset
|
351 elseif not available_disabled:empty() then |
|
10340
5c6912289ce3
mod_saslauth: Demote "no SASL mechanisms" error back to warning
Kim Alvefur <zash@zash.se>
parents:
10339
diff
changeset
|
352 log("warn", "All SASL mechanisms provided by authentication module '%s' are disabled (%s)", |
|
10339
8b06d2d51e04
mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents:
10338
diff
changeset
|
353 authmod, available_disabled); |
|
8b06d2d51e04
mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents:
10338
diff
changeset
|
354 end |
|
8b06d2d51e04
mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents:
10338
diff
changeset
|
355 |
|
12721
7830db3c38c3
mod_saslauth: Fix incorrect variable name introduced in 27a4a7e64831
Matthew Wild <mwild1@gmail.com>
parents:
12718
diff
changeset
|
356 elseif not origin.full_jid then |
|
2451
d2f747920eaf
mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents:
2450
diff
changeset
|
357 features:tag("bind", bind_attr):tag("required"):up():up(); |
|
d2f747920eaf
mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents:
2450
diff
changeset
|
358 features:tag("session", xmpp_session_attr):tag("optional"):up():up(); |
|
d2f747920eaf
mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents:
2450
diff
changeset
|
359 end |
|
d2f747920eaf
mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents:
2450
diff
changeset
|
360 end); |
|
1584
ffe8a9296e04
mod_saslauth, usermanager: Fetch list of mechanisms from usermanager
Nick Thomas
parents:
1523
diff
changeset
|
361 |
| 3651 | 362 module:hook("s2s-stream-features", function(event) |
| 363 local origin, features = event.origin, event.features; | |
| 364 if origin.secure and origin.type == "s2sin_unauthed" then | |
|
6425
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
365 -- Offer EXTERNAL only if both chain and identity is valid. |
|
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
366 if origin.cert_chain_status == "valid" and origin.cert_identity_status == "valid" then |
|
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
367 module:log("debug", "Offering SASL EXTERNAL"); |
|
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
368 origin.external_auth = "offered" |
| 3651 | 369 features:tag("mechanisms", { xmlns = xmlns_sasl }) |
| 370 :tag("mechanism"):text("EXTERNAL") | |
| 371 :up():up(); | |
| 372 end | |
| 373 end | |
| 374 end); | |
| 375 | |
|
7784
9f70d35a1602
core.sessionmanager, mod_saslauth: Introduce intermediate session type for authenticated but unbound sessions so that resource binding is not treated as a normal stanza
Kim Alvefur <zash@zash.se>
parents:
7298
diff
changeset
|
376 module:hook("stanza/iq/urn:ietf:params:xml:ns:xmpp-bind:bind", function(event) |
|
3523
32a0c3816d73
mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
3468
diff
changeset
|
377 local origin, stanza = event.origin, event.stanza; |
|
12912
44a78985471f
mod_saslauth: Support for SASL handlers forcing a specific resource
Matthew Wild <mwild1@gmail.com>
parents:
12726
diff
changeset
|
378 local resource = origin.sasl_resource; |
|
44a78985471f
mod_saslauth: Support for SASL handlers forcing a specific resource
Matthew Wild <mwild1@gmail.com>
parents:
12726
diff
changeset
|
379 if stanza.attr.type == "set" and not resource then |
|
2451
d2f747920eaf
mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents:
2450
diff
changeset
|
380 local bind = stanza.tags[1]; |
|
6302
76699a0ae4c4
mod_lastactivity, mod_legacyauth, mod_presence, mod_saslauth, mod_tls: Use the newer stanza:get_child APIs and optimize away some table lookups
Kim Alvefur <zash@zash.se>
parents:
6038
diff
changeset
|
381 resource = bind:get_child("resource"); |
|
3523
32a0c3816d73
mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
3468
diff
changeset
|
382 resource = resource and #resource.tags == 0 and resource[1] or nil; |
|
2451
d2f747920eaf
mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents:
2450
diff
changeset
|
383 end |
|
3523
32a0c3816d73
mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
3468
diff
changeset
|
384 local success, err_type, err, err_msg = sm_bind_resource(origin, resource); |
|
32a0c3816d73
mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
3468
diff
changeset
|
385 if success then |
|
12912
44a78985471f
mod_saslauth: Support for SASL handlers forcing a specific resource
Matthew Wild <mwild1@gmail.com>
parents:
12726
diff
changeset
|
386 origin.sasl_resource = nil; |
|
3523
32a0c3816d73
mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
3468
diff
changeset
|
387 origin.send(st.reply(stanza) |
|
32a0c3816d73
mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
3468
diff
changeset
|
388 :tag("bind", { xmlns = xmlns_bind }) |
|
32a0c3816d73
mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
3468
diff
changeset
|
389 :tag("jid"):text(origin.full_jid)); |
|
3524
d206b4e0a9f3
mod_saslauth: Improved logging a bit.
Waqas Hussain <waqas20@gmail.com>
parents:
3523
diff
changeset
|
390 origin.log("debug", "Resource bound: %s", origin.full_jid); |
|
2451
d2f747920eaf
mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents:
2450
diff
changeset
|
391 else |
|
3523
32a0c3816d73
mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
3468
diff
changeset
|
392 origin.send(st.error_reply(stanza, err_type, err, err_msg)); |
|
3524
d206b4e0a9f3
mod_saslauth: Improved logging a bit.
Waqas Hussain <waqas20@gmail.com>
parents:
3523
diff
changeset
|
393 origin.log("debug", "Resource bind failed: %s", err_msg or err); |
|
2451
d2f747920eaf
mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents:
2450
diff
changeset
|
394 end |
|
3523
32a0c3816d73
mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
3468
diff
changeset
|
395 return true; |
|
2451
d2f747920eaf
mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents:
2450
diff
changeset
|
396 end); |
|
1584
ffe8a9296e04
mod_saslauth, usermanager: Fetch list of mechanisms from usermanager
Nick Thomas
parents:
1523
diff
changeset
|
397 |
|
4029
fb027b2811c2
mod_saslauth: Handle session bind requests to the host, fixes OneTeam login
Matthew Wild <mwild1@gmail.com>
parents:
3553
diff
changeset
|
398 local function handle_legacy_session(event) |
|
3523
32a0c3816d73
mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
3468
diff
changeset
|
399 event.origin.send(st.reply(event.stanza)); |
|
32a0c3816d73
mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
3468
diff
changeset
|
400 return true; |
|
4029
fb027b2811c2
mod_saslauth: Handle session bind requests to the host, fixes OneTeam login
Matthew Wild <mwild1@gmail.com>
parents:
3553
diff
changeset
|
401 end |
|
fb027b2811c2
mod_saslauth: Handle session bind requests to the host, fixes OneTeam login
Matthew Wild <mwild1@gmail.com>
parents:
3553
diff
changeset
|
402 |
|
fb027b2811c2
mod_saslauth: Handle session bind requests to the host, fixes OneTeam login
Matthew Wild <mwild1@gmail.com>
parents:
3553
diff
changeset
|
403 module:hook("iq/self/urn:ietf:params:xml:ns:xmpp-session:session", handle_legacy_session); |
|
fb027b2811c2
mod_saslauth: Handle session bind requests to the host, fixes OneTeam login
Matthew Wild <mwild1@gmail.com>
parents:
3553
diff
changeset
|
404 module:hook("iq/host/urn:ietf:params:xml:ns:xmpp-session:session", handle_legacy_session); |
