Annotate

plugins/mod_saslauth.lua @ 13025:b7d0c1d75a37

mod_csi: Add metrics, covering changes and totals Motivation: Investigating clients that seem to forget to set CSI. Also, of course, MORE GRAPHS!
author Kim Alvefur <zash@zash.se>
date Thu, 06 Apr 2023 08:01:55 +0200
parent 12977:74b9e05af71e
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1523
841d61be198f Remove version number from copyright headers
Matthew Wild <mwild1@gmail.com>
parents: 1486
diff changeset
1 -- Prosody IM
2923
b7049746bd29 Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents: 2877
diff changeset
2 -- Copyright (C) 2008-2010 Matthew Wild
b7049746bd29 Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents: 2877
diff changeset
3 -- Copyright (C) 2008-2010 Waqas Hussain
5776
bd0ff8ae98a8 Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 5535
diff changeset
4 --
758
b1885732e979 GPL->MIT!
Matthew Wild <mwild1@gmail.com>
parents: 724
diff changeset
5 -- This project is MIT/X11 licensed. Please see the
b1885732e979 GPL->MIT!
Matthew Wild <mwild1@gmail.com>
parents: 724
diff changeset
6 -- COPYING file in the source package for more information.
519
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 449
diff changeset
7 --
7899
2b3d0ab67f7d mod_saslauth: Ignore shadowing of logger [luacheck]
Kim Alvefur <zash@zash.se>
parents: 7897
diff changeset
8 -- luacheck: ignore 431/log
519
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 449
diff changeset
9
38
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
10
12977
74b9e05af71e plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents: 12912
diff changeset
11 local st = require "prosody.util.stanza";
74b9e05af71e plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents: 12912
diff changeset
12 local sm_bind_resource = require "prosody.core.sessionmanager".bind_resource;
74b9e05af71e plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents: 12912
diff changeset
13 local sm_make_authenticated = require "prosody.core.sessionmanager".make_authenticated;
74b9e05af71e plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents: 12912
diff changeset
14 local base64 = require "prosody.util.encodings".base64;
74b9e05af71e plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents: 12912
diff changeset
15 local set = require "prosody.util.set";
74b9e05af71e plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents: 12912
diff changeset
16 local errors = require "prosody.util.error";
38
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
17
12977
74b9e05af71e plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents: 12912
diff changeset
18 local usermanager_get_sasl_handler = require "prosody.core.usermanager".get_sasl_handler;
38
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
19
12330
38b5b05407be various: Require encryption by default for real
Kim Alvefur <zash@zash.se>
parents: 11526
diff changeset
20 local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", true));
6488
c91193b7e72c mod_saslauth: Use type-specific config option getters
Kim Alvefur <zash@zash.se>
parents: 6487
diff changeset
21 local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false)
6493
4e51b5e81bdd mod_saslauth: Better name for config option
Kim Alvefur <zash@zash.se>
parents: 6492
diff changeset
22 local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"});
7298
7056bbaf81ee mod_saslauth: Disable DIGEST-MD5 by default (closes #515)
Kim Alvefur <zash@zash.se>
parents: 6519
diff changeset
23 local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" });
3066
5e5137057b5f mod_saslauth: Split out cyrus SASL config options into locals, and add support for cyrus_application_name (default: 'prosody')
Matthew Wild <mwild1@gmail.com>
parents: 3064
diff changeset
24
1071
216f9a9001f1 mod_saslauth: Use module logger instead of creating a new one
Matthew Wild <mwild1@gmail.com>
parents: 1042
diff changeset
25 local log = module._log;
38
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
26
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
27 local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl';
46
d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents: 38
diff changeset
28 local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind';
38
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
29
292
33175ad2f682 Started using realm in password hashing, and added support for error message replies from sasl
Waqas Hussain <waqas20@gmail.com>
parents: 291
diff changeset
30 local function build_reply(status, ret, err_msg)
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
31 local reply = st.stanza(status, {xmlns = xmlns_sasl});
6427
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents: 6425
diff changeset
32 if status == "failure" then
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
33 reply:tag(ret):up();
293
b446de4e258e base64 encode the sasl responses
Waqas Hussain <waqas20@gmail.com>
parents: 292
diff changeset
34 if err_msg then reply:tag("text"):text(err_msg); end
6427
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents: 6425
diff changeset
35 elseif status == "challenge" or status == "success" then
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents: 6425
diff changeset
36 if ret == "" then
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents: 6425
diff changeset
37 reply:text("=")
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents: 6425
diff changeset
38 elseif ret then
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents: 6425
diff changeset
39 reply:text(base64.encode(ret));
7653bbd5247e mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents: 6425
diff changeset
40 end
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
41 else
1073
7c20373d4451 mod_saslauth: Remove 2 instances of raising errors and replacing with more graceful handling
Matthew Wild <mwild1@gmail.com>
parents: 1072
diff changeset
42 module:log("error", "Unknown sasl status: %s", status);
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
43 end
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
44 return reply;
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
45 end
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
46
3062
892c49869293 mod_saslauth: Add return value and error message to the Cyrus SASL handle_status callback
Matthew Wild <mwild1@gmail.com>
parents: 3061
diff changeset
47 local function handle_status(session, status, ret, err_msg)
11512
a2ba6c0ac8ec mod_saslauth: Improve code style
Kim Alvefur <zash@zash.se>
parents: 11508
diff changeset
48 if not session.sasl_handler then
11513
549c80feede6 mod_saslauth: Use a defined SASL error
Kim Alvefur <zash@zash.se>
parents: 11512
diff changeset
49 return "failure", "temporary-auth-failure", "Connection gone";
11512
a2ba6c0ac8ec mod_saslauth: Improve code style
Kim Alvefur <zash@zash.se>
parents: 11508
diff changeset
50 end
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
51 if status == "failure" then
4361
605045b77bc6 mod_saslauth: Fire authentication-success and authentication-failure events (thanks scitor)
Matthew Wild <mwild1@gmail.com>
parents: 4078
diff changeset
52 module:fire_event("authentication-failure", { session = session, condition = ret, text = err_msg });
2251
18079ede5b62 mod_saslauth: Fix typo in variable name
Matthew Wild <mwild1@gmail.com>
parents: 2242
diff changeset
53 session.sasl_handler = session.sasl_handler:clean_clone();
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
54 elseif status == "success" then
12641
e9865b0cfb89 mod_saslauth: Rename field from 'scope'->'role'
Matthew Wild <mwild1@gmail.com>
parents: 12594
diff changeset
55 local ok, err = sm_make_authenticated(session, session.sasl_handler.username, session.sasl_handler.role);
3468
d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents: 3464
diff changeset
56 if ok then
12912
44a78985471f mod_saslauth: Support for SASL handlers forcing a specific resource
Matthew Wild <mwild1@gmail.com>
parents: 12726
diff changeset
57 session.sasl_resource = session.sasl_handler.resource;
4504
55b61221ecb8 mod_saslauth: Move authentication-success event to after session has been made authenticated.
Kim Alvefur <zash@zash.se>
parents: 4492
diff changeset
58 module:fire_event("authentication-success", { session = session });
3468
d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents: 3464
diff changeset
59 session.sasl_handler = nil;
d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents: 3464
diff changeset
60 session:reset_stream();
3064
596303990c7c usermanager, mod_saslauth: Make account provisioning for Cyrus SASL optional (default: not required)
Matthew Wild <mwild1@gmail.com>
parents: 3062
diff changeset
61 else
3468
d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents: 3464
diff changeset
62 module:log("warn", "SASL succeeded but username was invalid");
4505
b1e10c327d66 mod_saslauth: Fire authentication-failure if make_authenticated() failed.
Kim Alvefur <zash@zash.se>
parents: 4504
diff changeset
63 module:fire_event("authentication-failure", { session = session, condition = "not-authorized", text = err });
3064
596303990c7c usermanager, mod_saslauth: Make account provisioning for Cyrus SASL optional (default: not required)
Matthew Wild <mwild1@gmail.com>
parents: 3062
diff changeset
64 session.sasl_handler = session.sasl_handler:clean_clone();
3468
d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents: 3464
diff changeset
65 return "failure", "not-authorized", "User authenticated successfully, but username was invalid";
3064
596303990c7c usermanager, mod_saslauth: Make account provisioning for Cyrus SASL optional (default: not required)
Matthew Wild <mwild1@gmail.com>
parents: 3062
diff changeset
66 end
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
67 end
3062
892c49869293 mod_saslauth: Add return value and error message to the Cyrus SASL handle_status callback
Matthew Wild <mwild1@gmail.com>
parents: 3061
diff changeset
68 return status, ret, err_msg;
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
69 end
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
70
3551
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
71 local function sasl_process_cdata(session, stanza)
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
72 local text = stanza[1];
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
73 if text then
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
74 text = base64.decode(text);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
75 if not text then
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
76 session.sasl_handler = nil;
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
77 session.send(build_reply("failure", "incorrect-encoding"));
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
78 return true;
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
79 end
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
80 end
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
81 local status, ret, err_msg = session.sasl_handler:process(text);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
82 status, ret, err_msg = handle_status(session, status, ret, err_msg);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
83 local s = build_reply(status, ret, err_msg);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
84 session.send(s);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
85 return true;
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
86 end
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
87
8042
5d5afaafac0f mod_saslauth: Remove unused argument [luacheck]
Kim Alvefur <zash@zash.se>
parents: 7962
diff changeset
88 module:hook_tag(xmlns_sasl, "success", function (session)
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
89 if session.type ~= "s2sout_unauthed" or session.external_auth ~= "attempting" then return; end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
90 module:log("debug", "SASL EXTERNAL with %s succeeded", session.to_host);
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
91 session.external_auth = "succeeded"
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
92 session:reset_stream();
5535
0df0afc041d7 mod_saslauth, mod_compression: Fix some cases where open_stream() was not being passed to/from (see df3c78221f26 and issue #338)
Matthew Wild <mwild1@gmail.com>
parents: 5362
diff changeset
93 session:open_stream(session.from_host, session.to_host);
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
94
11526
15a3db955ad3 s2s et al.: Add counters for connection state transitions
Jonas Schäfer <jonas@wielicki.name>
parents: 11514
diff changeset
95 module:fire_event("s2s-authenticated", { session = session, host = session.to_host, mechanism = "EXTERNAL" });
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
96 return true;
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
97 end)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
98
7960
9a938b785bc5 mod_saslauth: Switch to hook_tag from hook_stanza which was renamed in 2087d42f1e77
Kim Alvefur <zash@zash.se>
parents: 7940
diff changeset
99 module:hook_tag(xmlns_sasl, "failure", function (session, stanza)
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
100 if session.type ~= "s2sout_unauthed" or session.external_auth ~= "attempting" then return; end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
101
7939
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
102 local text = stanza:get_child_text("text");
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
103 local condition = "unknown-condition";
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
104 for child in stanza:childtags() do
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
105 if child.name ~= "text" then
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
106 condition = child.name;
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
107 break;
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
108 end
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
109 end
10487
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object
Kim Alvefur <zash@zash.se>
parents: 10481
diff changeset
110 local err = errors.new({
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object
Kim Alvefur <zash@zash.se>
parents: 10481
diff changeset
111 -- TODO type = what?
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object
Kim Alvefur <zash@zash.se>
parents: 10481
diff changeset
112 text = text,
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object
Kim Alvefur <zash@zash.se>
parents: 10481
diff changeset
113 condition = condition,
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object
Kim Alvefur <zash@zash.se>
parents: 10481
diff changeset
114 }, {
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object
Kim Alvefur <zash@zash.se>
parents: 10481
diff changeset
115 session = session,
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object
Kim Alvefur <zash@zash.se>
parents: 10481
diff changeset
116 stanza = stanza,
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object
Kim Alvefur <zash@zash.se>
parents: 10481
diff changeset
117 });
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object
Kim Alvefur <zash@zash.se>
parents: 10481
diff changeset
118
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object
Kim Alvefur <zash@zash.se>
parents: 10481
diff changeset
119 module:log("info", "SASL EXTERNAL with %s failed: %s", session.to_host, err);
7939
6940d6db970b mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents: 6033
diff changeset
120
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
121 session.external_auth = "failed"
10487
02ccf2fbf000 mod_saslauth: Collect SASL EXTERNAL failures into an util.error object
Kim Alvefur <zash@zash.se>
parents: 10481
diff changeset
122 session.external_auth_failure_reason = err;
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
123 end, 500)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
124
8513
c6be9bbd0a1a mod_saslauth: Ignore unused argument [luacheck]
Kim Alvefur <zash@zash.se>
parents: 8512
diff changeset
125 module:hook_tag(xmlns_sasl, "failure", function (session, stanza) -- luacheck: ignore 212/stanza
8510
149e98f88680 mod_saslauth: Close connection if no fallback kicks in on SASL EXTERNAL failure
Kim Alvefur <zash@zash.se>
parents: 8509
diff changeset
126 session.log("debug", "No fallback from SASL EXTERNAL failure, giving up");
10488
03ff1e614b4d mod_saslauth: Set a nicer bounce error explaining SASL EXTERNAL failures
Kim Alvefur <zash@zash.se>
parents: 10487
diff changeset
127 session:close(nil, session.external_auth_failure_reason, errors.new({
03ff1e614b4d mod_saslauth: Set a nicer bounce error explaining SASL EXTERNAL failures
Kim Alvefur <zash@zash.se>
parents: 10487
diff changeset
128 type = "wait", condition = "remote-server-timeout",
03ff1e614b4d mod_saslauth: Set a nicer bounce error explaining SASL EXTERNAL failures
Kim Alvefur <zash@zash.se>
parents: 10487
diff changeset
129 text = "Could not authenticate to remote server",
03ff1e614b4d mod_saslauth: Set a nicer bounce error explaining SASL EXTERNAL failures
Kim Alvefur <zash@zash.se>
parents: 10487
diff changeset
130 }, { session = session, sasl_failure = session.external_auth_failure_reason, }));
8510
149e98f88680 mod_saslauth: Close connection if no fallback kicks in on SASL EXTERNAL failure
Kim Alvefur <zash@zash.se>
parents: 8509
diff changeset
131 return true;
8509
e1d274001855 Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly been resolved and this change causes more problems than it solves (fixes #1006)
Kim Alvefur <zash@zash.se>
parents: 8479
diff changeset
132 end, 90)
e1d274001855 Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly been resolved and this change causes more problems than it solves (fixes #1006)
Kim Alvefur <zash@zash.se>
parents: 8479
diff changeset
133
7960
9a938b785bc5 mod_saslauth: Switch to hook_tag from hook_stanza which was renamed in 2087d42f1e77
Kim Alvefur <zash@zash.se>
parents: 7940
diff changeset
134 module:hook_tag("http://etherx.jabber.org/streams", "features", function (session, stanza)
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
135 if session.type ~= "s2sout_unauthed" or not session.secure then return; end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
136
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
137 local mechanisms = stanza:get_child("mechanisms", xmlns_sasl)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
138 if mechanisms then
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
139 for mech in mechanisms:childtags() do
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
140 if mech[1] == "EXTERNAL" then
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
141 module:log("debug", "Initiating SASL EXTERNAL with %s", session.to_host);
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
142 local reply = st.stanza("auth", {xmlns = xmlns_sasl, mechanism = "EXTERNAL"});
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
143 reply:text(base64.encode(session.from_host))
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
144 session.sends2s(reply)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
145 session.external_auth = "attempting"
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
146 return true
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
147 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
148 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
149 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
150 end, 150);
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
151
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
152 local function s2s_external_auth(session, stanza)
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
153 if session.external_auth ~= "offered" then return end -- Unexpected request
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
154
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
155 local mechanism = stanza.attr.mechanism;
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
156
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
157 if mechanism ~= "EXTERNAL" then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
158 session.sends2s(build_reply("failure", "invalid-mechanism"));
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
159 return true;
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
160 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
161
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
162 if not session.secure then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
163 session.sends2s(build_reply("failure", "encryption-required"));
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
164 return true;
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
165 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
166
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
167 local text = stanza[1];
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
168 if not text then
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
169 session.sends2s(build_reply("failure", "malformed-request"));
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
170 return true;
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
171 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
172
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
173 text = base64.decode(text);
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
174 if not text then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
175 session.sends2s(build_reply("failure", "incorrect-encoding"));
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
176 return true;
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
177 end
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
178
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
179 -- The text value is either "" or equals session.from_host
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
180 if not ( text == "" or text == session.from_host ) then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
181 session.sends2s(build_reply("failure", "invalid-authzid"));
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
182 return true;
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
183 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
184
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
185 -- We've already verified the external cert identity before offering EXTERNAL
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
186 if session.cert_chain_status ~= "valid" or session.cert_identity_status ~= "valid" then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
187 session.sends2s(build_reply("failure", "not-authorized"));
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
188 session:close();
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
189 return true;
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
190 end
4492
0a4781f165e3 mod_saslauth: "" ~= nil (thanks, Zash!)
Paul Aurich <paul@darkrain42.org>
parents: 4395
diff changeset
191
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
192 -- Success!
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
193 session.external_auth = "succeeded";
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
194 session.sends2s(build_reply("success"));
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
195 module:log("info", "Accepting SASL EXTERNAL identity from %s", session.from_host);
11526
15a3db955ad3 s2s et al.: Add counters for connection state transitions
Jonas Schäfer <jonas@wielicki.name>
parents: 11514
diff changeset
196 module:fire_event("s2s-authenticated", { session = session, host = session.from_host, mechanism = mechanism });
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
197 session:reset_stream();
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
198 return true;
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
199 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
200
3552
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
201 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function(event)
3535
b953b0c0f203 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3524
diff changeset
202 local session, stanza = event.origin, event.stanza;
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
203 if session.type == "s2sin_unauthed" then
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
204 return s2s_external_auth(session, stanza)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
205 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
206
6033
0d6f23049e95 mod_saslauth: Only do c2s SASL on normal VirtualHosts
Kim Alvefur <zash@zash.se>
parents: 5535
diff changeset
207 if session.type ~= "c2s_unauthed" or module:get_host_type() ~= "local" then return; end
3535
b953b0c0f203 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3524
diff changeset
208
3553
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents: 3552
diff changeset
209 if session.sasl_handler and session.sasl_handler.selected then
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents: 3552
diff changeset
210 session.sasl_handler = nil; -- allow starting a new SASL negotiation before completing an old one
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents: 3552
diff changeset
211 end
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents: 3552
diff changeset
212 if not session.sasl_handler then
4939
0545a574667b mod_saslauth: Pass session to usermanager.get_sasl_handler()
Matthew Wild <mwild1@gmail.com>
parents: 4754
diff changeset
213 session.sasl_handler = usermanager_get_sasl_handler(module.host, session);
3553
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents: 3552
diff changeset
214 end
3552
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
215 local mechanism = stanza.attr.mechanism;
6490
8ad74f48b2aa mod_saslauth: Use a configurable set of mechanisms to not allow over unencrypted connections
Kim Alvefur <zash@zash.se>
parents: 6489
diff changeset
216 if not session.secure and (secure_auth_only or insecure_mechanisms:contains(mechanism)) then
3552
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
217 session.send(build_reply("failure", "encryption-required"));
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
218 return true;
6492
0d07fdc07d8c mod_saslauth: Make it possible to disable certain mechanisms
Kim Alvefur <zash@zash.se>
parents: 6491
diff changeset
219 elseif disabled_mechanisms:contains(mechanism) then
0d07fdc07d8c mod_saslauth: Make it possible to disable certain mechanisms
Kim Alvefur <zash@zash.se>
parents: 6491
diff changeset
220 session.send(build_reply("failure", "invalid-mechanism"));
0d07fdc07d8c mod_saslauth: Make it possible to disable certain mechanisms
Kim Alvefur <zash@zash.se>
parents: 6491
diff changeset
221 return true;
3552
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
222 end
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
223 local valid_mechanism = session.sasl_handler:select(mechanism);
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
224 if not valid_mechanism then
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
225 session.send(build_reply("failure", "invalid-mechanism"));
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
226 return true;
295
bb078eb1f1de mod_saslauth: Code cleanup
Waqas Hussain <waqas20@gmail.com>
parents: 293
diff changeset
227 end
3551
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
228 return sasl_process_cdata(session, stanza);
3552
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
229 end);
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
230 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:response", function(event)
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
231 local session = event.origin;
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
232 if not(session.sasl_handler and session.sasl_handler.selected) then
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
233 session.send(build_reply("failure", "not-authorized", "Out of order SASL element"));
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
234 return true;
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
235 end
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
236 return sasl_process_cdata(session, event.stanza);
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
237 end);
3548
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents: 3535
diff changeset
238 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:abort", function(event)
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents: 3535
diff changeset
239 local session = event.origin;
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents: 3535
diff changeset
240 session.sasl_handler = nil;
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents: 3535
diff changeset
241 session.send(build_reply("failure", "aborted"));
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents: 3535
diff changeset
242 return true;
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents: 3535
diff changeset
243 end);
284
4f540755260c mod_saslauth: Added base64 decoding, encoding check, and cleaned the code up.
Waqas Hussain <waqas20@gmail.com>
parents: 281
diff changeset
244
6518
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents: 6517
diff changeset
245 local function tls_unique(self)
12480
7e9ebdc75ce4 net: isolate LuaSec-specifics
Jonas Schäfer <jonas@wielicki.name>
parents: 12333
diff changeset
246 return self.userdata["tls-unique"]:ssl_peerfinished();
6518
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents: 6517
diff changeset
247 end
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents: 6517
diff changeset
248
12594
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760)
Kim Alvefur <zash@zash.se>
parents: 12541
diff changeset
249 local function tls_exporter(conn)
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760)
Kim Alvefur <zash@zash.se>
parents: 12541
diff changeset
250 if not conn.ssl_exportkeyingmaterial then return end
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760)
Kim Alvefur <zash@zash.se>
parents: 12541
diff changeset
251 return conn:ssl_exportkeyingmaterial("EXPORTER-Channel-Binding", 32, "");
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760)
Kim Alvefur <zash@zash.se>
parents: 12541
diff changeset
252 end
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760)
Kim Alvefur <zash@zash.se>
parents: 12541
diff changeset
253
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760)
Kim Alvefur <zash@zash.se>
parents: 12541
diff changeset
254 local function sasl_tls_exporter(self)
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760)
Kim Alvefur <zash@zash.se>
parents: 12541
diff changeset
255 return tls_exporter(self.userdata["tls-exporter"]);
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760)
Kim Alvefur <zash@zash.se>
parents: 12541
diff changeset
256 end
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760)
Kim Alvefur <zash@zash.se>
parents: 12541
diff changeset
257
357
17bcecb06420 Use a stanza for c2s stream features instead of an array of strings. Removes a FIXME.
Matthew Wild <mwild1@gmail.com>
parents: 313
diff changeset
258 local mechanisms_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-sasl' };
17bcecb06420 Use a stanza for c2s stream features instead of an array of strings. Removes a FIXME.
Matthew Wild <mwild1@gmail.com>
parents: 313
diff changeset
259 local bind_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-bind' };
17bcecb06420 Use a stanza for c2s stream features instead of an array of strings. Removes a FIXME.
Matthew Wild <mwild1@gmail.com>
parents: 313
diff changeset
260 local xmpp_session_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-session' };
2612
475552b04151 mod_saslauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 2451
diff changeset
261 module:hook("stream-features", function(event)
475552b04151 mod_saslauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 2451
diff changeset
262 local origin, features = event.origin, event.features;
7896
1a2674123c1c mod_saslauth: Cache logger in local for less typing
Kim Alvefur <zash@zash.se>
parents: 7784
diff changeset
263 local log = origin.log or log;
2612
475552b04151 mod_saslauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 2451
diff changeset
264 if not origin.username then
475552b04151 mod_saslauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 2451
diff changeset
265 if secure_auth_only and not origin.secure then
7897
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents: 7896
diff changeset
266 log("debug", "Not offering authentication on insecure connection");
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
267 return;
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
268 end
6517
e733e98a348a mod_saslauth: Keep sasl_handler in a local variable
Kim Alvefur <zash@zash.se>
parents: 6493
diff changeset
269 local sasl_handler = usermanager_get_sasl_handler(module.host, origin)
e733e98a348a mod_saslauth: Keep sasl_handler in a local variable
Kim Alvefur <zash@zash.se>
parents: 6493
diff changeset
270 origin.sasl_handler = sasl_handler;
12541
97af41d580f7 mod_saslauth: Advertise channel bindings via XEP-0440
Kim Alvefur <zash@zash.se>
parents: 12480
diff changeset
271 local channel_bindings = set.new()
5860
87e2fafba5df mod_saslauth: Collect data for channel binding only if we know for sure that the stream is encrypted
Kim Alvefur <zash@zash.se>
parents: 5843
diff changeset
272 if origin.encrypted then
9993
02a41315d275 Fix various spelling mistakes [codespell]
Kim Alvefur <zash@zash.se>
parents: 9738
diff changeset
273 -- check whether LuaSec has the nifty binding to the function needed for tls-unique
5838
a2659baf8332 mod_saslauth: Check whether LuaSec supports getpeerfinished() binding.
Tobias Markmann <tm@ayena.de>
parents: 5834
diff changeset
274 -- FIXME: would be nice to have this check only once and not for every socket
6518
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents: 6517
diff changeset
275 if sasl_handler.add_cb_handler then
12480
7e9ebdc75ce4 net: isolate LuaSec-specifics
Jonas Schäfer <jonas@wielicki.name>
parents: 12333
diff changeset
276 local info = origin.conn:ssl_info();
7e9ebdc75ce4 net: isolate LuaSec-specifics
Jonas Schäfer <jonas@wielicki.name>
parents: 12333
diff changeset
277 if info and info.protocol == "TLSv1.3" then
11212
1bfd238e05ad mod_saslauth: Disable 'tls-unique' channel binding with TLS 1.3 (closes #1542)
Kim Alvefur <zash@zash.se>
parents: 8513
diff changeset
278 log("debug", "Channel binding 'tls-unique' undefined in context of TLS 1.3");
12594
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760)
Kim Alvefur <zash@zash.se>
parents: 12541
diff changeset
279 if tls_exporter(origin.conn) then
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760)
Kim Alvefur <zash@zash.se>
parents: 12541
diff changeset
280 log("debug", "Channel binding 'tls-exporter' supported");
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760)
Kim Alvefur <zash@zash.se>
parents: 12541
diff changeset
281 sasl_handler:add_cb_handler("tls-exporter", sasl_tls_exporter);
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760)
Kim Alvefur <zash@zash.se>
parents: 12541
diff changeset
282 channel_bindings:add("tls-exporter");
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760)
Kim Alvefur <zash@zash.se>
parents: 12541
diff changeset
283 end
12480
7e9ebdc75ce4 net: isolate LuaSec-specifics
Jonas Schäfer <jonas@wielicki.name>
parents: 12333
diff changeset
284 elseif origin.conn.ssl_peerfinished and origin.conn:ssl_peerfinished() then
10337
39111f0e83d0 mod_saslauth: Log (debug) messages about channel binding
Kim Alvefur <zash@zash.se>
parents: 10334
diff changeset
285 log("debug", "Channel binding 'tls-unique' supported");
6518
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents: 6517
diff changeset
286 sasl_handler:add_cb_handler("tls-unique", tls_unique);
12541
97af41d580f7 mod_saslauth: Advertise channel bindings via XEP-0440
Kim Alvefur <zash@zash.se>
parents: 12480
diff changeset
287 channel_bindings:add("tls-unique");
10337
39111f0e83d0 mod_saslauth: Log (debug) messages about channel binding
Kim Alvefur <zash@zash.se>
parents: 10334
diff changeset
288 else
39111f0e83d0 mod_saslauth: Log (debug) messages about channel binding
Kim Alvefur <zash@zash.se>
parents: 10334
diff changeset
289 log("debug", "Channel binding 'tls-unique' not supported (by LuaSec?)");
6518
c0d221b0c94c mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents: 6517
diff changeset
290 end
6519
367db22cf7d2 mod_saslauth: Make it easier to support multiple channel binding methonds
Kim Alvefur <zash@zash.se>
parents: 6518
diff changeset
291 sasl_handler["userdata"] = {
12480
7e9ebdc75ce4 net: isolate LuaSec-specifics
Jonas Schäfer <jonas@wielicki.name>
parents: 12333
diff changeset
292 ["tls-unique"] = origin.conn;
12594
29685403be32 mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760)
Kim Alvefur <zash@zash.se>
parents: 12541
diff changeset
293 ["tls-exporter"] = origin.conn;
6519
367db22cf7d2 mod_saslauth: Make it easier to support multiple channel binding methonds
Kim Alvefur <zash@zash.se>
parents: 6518
diff changeset
294 };
10337
39111f0e83d0 mod_saslauth: Log (debug) messages about channel binding
Kim Alvefur <zash@zash.se>
parents: 10334
diff changeset
295 else
39111f0e83d0 mod_saslauth: Log (debug) messages about channel binding
Kim Alvefur <zash@zash.se>
parents: 10334
diff changeset
296 log("debug", "Channel binding not supported by SASL handler");
5838
a2659baf8332 mod_saslauth: Check whether LuaSec supports getpeerfinished() binding.
Tobias Markmann <tm@ayena.de>
parents: 5834
diff changeset
297 end
5832
7d100d917243 mod_saslauth: Set secure socket as SASL object user data for secure sessions.
Tobias Markmann <tm@ayena.de>
parents: 3983
diff changeset
298 end
4395
d322c4553f97 mod_saslauth: Never send empty <mechanisms/>, for real this time.
Waqas Hussain <waqas20@gmail.com>
parents: 4392
diff changeset
299 local mechanisms = st.stanza("mechanisms", mechanisms_attr);
7897
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents: 7896
diff changeset
300 local sasl_mechanisms = sasl_handler:mechanisms()
10338
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
301 local available_mechanisms = set.new();
7897
08bde6a6fd56 mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents: 7896
diff changeset
302 for mechanism in pairs(sasl_mechanisms) do
10338
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
303 available_mechanisms:add(mechanism);
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
304 end
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
305 log("debug", "SASL mechanisms supported by handler: %s", available_mechanisms);
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
306
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
307 local usable_mechanisms = available_mechanisms - disabled_mechanisms;
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
308
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
309 local available_disabled = set.intersection(available_mechanisms, disabled_mechanisms);
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
310 if not available_disabled:empty() then
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
311 log("debug", "Not offering disabled mechanisms: %s", available_disabled);
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
312 end
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
313
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
314 local available_insecure = set.intersection(available_mechanisms, insecure_mechanisms);
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
315 if not origin.secure and not available_insecure:empty() then
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
316 log("debug", "Session is not secure, not offering insecure mechanisms: %s", available_insecure);
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
317 usable_mechanisms = usable_mechanisms - insecure_mechanisms;
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
318 end
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
319
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
320 if not usable_mechanisms:empty() then
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
321 log("debug", "Offering usable mechanisms: %s", usable_mechanisms);
10481
7a3c04789d5c mod_saslauth: Advertise correct set of mechanisms
Kim Alvefur <zash@zash.se>
parents: 10340
diff changeset
322 for mechanism in usable_mechanisms do
4395
d322c4553f97 mod_saslauth: Never send empty <mechanisms/>, for real this time.
Waqas Hussain <waqas20@gmail.com>
parents: 4392
diff changeset
323 mechanisms:tag("mechanism"):text(mechanism):up();
3417
53e854b52110 mod_saslauth: Check for unencrypted PLAIN auth in mod_saslauth instead of the SASL handler (makes it work for Cyrus SASL).
Waqas Hussain <waqas20@gmail.com>
parents: 3416
diff changeset
324 end
12726
9f100ab9ffdf mod_saslauth: Put <sasl-channel-binding> in stream:features per XEP-0440 0.4.0
Matthew Wild <mwild1@gmail.com>
parents: 12721
diff changeset
325 features:add_child(mechanisms);
12541
97af41d580f7 mod_saslauth: Advertise channel bindings via XEP-0440
Kim Alvefur <zash@zash.se>
parents: 12480
diff changeset
326 if not channel_bindings:empty() then
97af41d580f7 mod_saslauth: Advertise channel bindings via XEP-0440
Kim Alvefur <zash@zash.se>
parents: 12480
diff changeset
327 -- XXX XEP-0440 is Experimental
12726
9f100ab9ffdf mod_saslauth: Put <sasl-channel-binding> in stream:features per XEP-0440 0.4.0
Matthew Wild <mwild1@gmail.com>
parents: 12721
diff changeset
328 features:tag("sasl-channel-binding", {xmlns='urn:xmpp:sasl-cb:0'})
12541
97af41d580f7 mod_saslauth: Advertise channel bindings via XEP-0440
Kim Alvefur <zash@zash.se>
parents: 12480
diff changeset
329 for channel_binding in channel_bindings do
12726
9f100ab9ffdf mod_saslauth: Put <sasl-channel-binding> in stream:features per XEP-0440 0.4.0
Matthew Wild <mwild1@gmail.com>
parents: 12721
diff changeset
330 features:tag("channel-binding", {type=channel_binding}):up()
12541
97af41d580f7 mod_saslauth: Advertise channel bindings via XEP-0440
Kim Alvefur <zash@zash.se>
parents: 12480
diff changeset
331 end
12726
9f100ab9ffdf mod_saslauth: Put <sasl-channel-binding> in stream:features per XEP-0440 0.4.0
Matthew Wild <mwild1@gmail.com>
parents: 12721
diff changeset
332 features:up();
12541
97af41d580f7 mod_saslauth: Advertise channel bindings via XEP-0440
Kim Alvefur <zash@zash.se>
parents: 12480
diff changeset
333 end
10338
56a0f68b7797 mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
Kim Alvefur <zash@zash.se>
parents: 10337
diff changeset
334 return;
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
335 end
10339
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 10338
diff changeset
336
12333
ed8a4f8dfd27 usermanager, mod_saslauth: Default to internal_hashed if no auth module specified
Matthew Wild <mwild1@gmail.com>
parents: 12330
diff changeset
337 local authmod = module:get_option_string("authentication", "internal_hashed");
10339
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 10338
diff changeset
338 if available_mechanisms:empty() then
10340
5c6912289ce3 mod_saslauth: Demote "no SASL mechanisms" error back to warning
Kim Alvefur <zash@zash.se>
parents: 10339
diff changeset
339 log("warn", "No available SASL mechanisms, verify that the configured authentication module '%s' is loaded and configured correctly", authmod);
10339
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 10338
diff changeset
340 return;
6489
1f07c72112d2 mod_saslauth: Log warning if no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 6488
diff changeset
341 end
10339
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 10338
diff changeset
342
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 10338
diff changeset
343 if not origin.secure and not available_insecure:empty() then
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 10338
diff changeset
344 if not available_disabled:empty() then
10340
5c6912289ce3 mod_saslauth: Demote "no SASL mechanisms" error back to warning
Kim Alvefur <zash@zash.se>
parents: 10339
diff changeset
345 log("warn", "All SASL mechanisms provided by authentication module '%s' are forbidden on insecure connections (%s) or disabled (%s)",
10339
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 10338
diff changeset
346 authmod, available_insecure, available_disabled);
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 10338
diff changeset
347 else
10340
5c6912289ce3 mod_saslauth: Demote "no SASL mechanisms" error back to warning
Kim Alvefur <zash@zash.se>
parents: 10339
diff changeset
348 log("warn", "All SASL mechanisms provided by authentication module '%s' are forbidden on insecure connections (%s)",
10339
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 10338
diff changeset
349 authmod, available_insecure);
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 10338
diff changeset
350 end
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 10338
diff changeset
351 elseif not available_disabled:empty() then
10340
5c6912289ce3 mod_saslauth: Demote "no SASL mechanisms" error back to warning
Kim Alvefur <zash@zash.se>
parents: 10339
diff changeset
352 log("warn", "All SASL mechanisms provided by authentication module '%s' are disabled (%s)",
10339
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 10338
diff changeset
353 authmod, available_disabled);
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 10338
diff changeset
354 end
8b06d2d51e04 mod_saslauth: Improve logging of why no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents: 10338
diff changeset
355
12721
7830db3c38c3 mod_saslauth: Fix incorrect variable name introduced in 27a4a7e64831
Matthew Wild <mwild1@gmail.com>
parents: 12718
diff changeset
356 elseif not origin.full_jid then
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
357 features:tag("bind", bind_attr):tag("required"):up():up();
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
358 features:tag("session", xmpp_session_attr):tag("optional"):up():up();
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
359 end
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
360 end);
1584
ffe8a9296e04 mod_saslauth, usermanager: Fetch list of mechanisms from usermanager
Nick Thomas
parents: 1523
diff changeset
361
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
362 module:hook("s2s-stream-features", function(event)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
363 local origin, features = event.origin, event.features;
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
364 if origin.secure and origin.type == "s2sin_unauthed" then
6425
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
365 -- Offer EXTERNAL only if both chain and identity is valid.
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
366 if origin.cert_chain_status == "valid" and origin.cert_identity_status == "valid" then
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
367 module:log("debug", "Offering SASL EXTERNAL");
436a670a0189 mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents: 6424
diff changeset
368 origin.external_auth = "offered"
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
369 features:tag("mechanisms", { xmlns = xmlns_sasl })
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
370 :tag("mechanism"):text("EXTERNAL")
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
371 :up():up();
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
372 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
373 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
374 end);
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
375
7784
9f70d35a1602 core.sessionmanager, mod_saslauth: Introduce intermediate session type for authenticated but unbound sessions so that resource binding is not treated as a normal stanza
Kim Alvefur <zash@zash.se>
parents: 7298
diff changeset
376 module:hook("stanza/iq/urn:ietf:params:xml:ns:xmpp-bind:bind", function(event)
3523
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
377 local origin, stanza = event.origin, event.stanza;
12912
44a78985471f mod_saslauth: Support for SASL handlers forcing a specific resource
Matthew Wild <mwild1@gmail.com>
parents: 12726
diff changeset
378 local resource = origin.sasl_resource;
44a78985471f mod_saslauth: Support for SASL handlers forcing a specific resource
Matthew Wild <mwild1@gmail.com>
parents: 12726
diff changeset
379 if stanza.attr.type == "set" and not resource then
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
380 local bind = stanza.tags[1];
6302
76699a0ae4c4 mod_lastactivity, mod_legacyauth, mod_presence, mod_saslauth, mod_tls: Use the newer stanza:get_child APIs and optimize away some table lookups
Kim Alvefur <zash@zash.se>
parents: 6038
diff changeset
381 resource = bind:get_child("resource");
3523
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
382 resource = resource and #resource.tags == 0 and resource[1] or nil;
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
383 end
3523
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
384 local success, err_type, err, err_msg = sm_bind_resource(origin, resource);
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
385 if success then
12912
44a78985471f mod_saslauth: Support for SASL handlers forcing a specific resource
Matthew Wild <mwild1@gmail.com>
parents: 12726
diff changeset
386 origin.sasl_resource = nil;
3523
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
387 origin.send(st.reply(stanza)
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
388 :tag("bind", { xmlns = xmlns_bind })
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
389 :tag("jid"):text(origin.full_jid));
3524
d206b4e0a9f3 mod_saslauth: Improved logging a bit.
Waqas Hussain <waqas20@gmail.com>
parents: 3523
diff changeset
390 origin.log("debug", "Resource bound: %s", origin.full_jid);
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
391 else
3523
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
392 origin.send(st.error_reply(stanza, err_type, err, err_msg));
3524
d206b4e0a9f3 mod_saslauth: Improved logging a bit.
Waqas Hussain <waqas20@gmail.com>
parents: 3523
diff changeset
393 origin.log("debug", "Resource bind failed: %s", err_msg or err);
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
394 end
3523
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
395 return true;
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
396 end);
1584
ffe8a9296e04 mod_saslauth, usermanager: Fetch list of mechanisms from usermanager
Nick Thomas
parents: 1523
diff changeset
397
4029
fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login
Matthew Wild <mwild1@gmail.com>
parents: 3553
diff changeset
398 local function handle_legacy_session(event)
3523
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
399 event.origin.send(st.reply(event.stanza));
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
400 return true;
4029
fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login
Matthew Wild <mwild1@gmail.com>
parents: 3553
diff changeset
401 end
fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login
Matthew Wild <mwild1@gmail.com>
parents: 3553
diff changeset
402
fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login
Matthew Wild <mwild1@gmail.com>
parents: 3553
diff changeset
403 module:hook("iq/self/urn:ietf:params:xml:ns:xmpp-session:session", handle_legacy_session);
fb027b2811c2 mod_saslauth: Handle session bind requests to the host, fixes OneTeam login
Matthew Wild <mwild1@gmail.com>
parents: 3553
diff changeset
404 module:hook("iq/host/urn:ietf:params:xml:ns:xmpp-session:session", handle_legacy_session);