Software / code / prosody
Annotate
util/sasl/oauthbearer.lua @ 13182:c48ae06e24d6
util.datamanager: Fix indexing first item if not at the very start
If the first item does not start at position 0 then the index function
produces a phantom first entry covering position zero until where the
real first item starts. When using the index, this would make it either
appear as the first item was missing or cause an off-by-one issue with
remaining items.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Mon, 10 Jul 2023 17:19:05 +0200 |
| parent | 13112:b6aaab0846fe |
| rev | line source |
|---|---|
|
12975
d10957394a3c
util: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12951
diff
changeset
|
1 local json = require "prosody.util.json"; |
|
12911
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
2 local _ENV = nil; |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
3 |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
4 |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
5 local function oauthbearer(self, message) |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
6 if not message then |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
7 return "failure", "malformed-request"; |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
8 end |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
9 |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
10 if message == "\001" then |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
11 return "failure", "not-authorized"; |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
12 end |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
13 |
|
13112
b6aaab0846fe
util.sasl.oauthbearer: Tighter parsing of SASL message
Kim Alvefur <zash@zash.se>
parents:
12975
diff
changeset
|
14 -- gs2-header kvsep *kvpair kvsep |
|
b6aaab0846fe
util.sasl.oauthbearer: Tighter parsing of SASL message
Kim Alvefur <zash@zash.se>
parents:
12975
diff
changeset
|
15 local gs2_header, kvpairs = message:match("^(n,[^,]*,)\001(.+)\001$"); |
|
12940
2aebd9bf02fc
util.sasl.oauthbearer: Adjust parsing of GS2 to allow lack of authzid
Kim Alvefur <zash@zash.se>
parents:
12938
diff
changeset
|
16 if not gs2_header then |
|
12911
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
17 return "failure", "malformed-request"; |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
18 end |
|
12940
2aebd9bf02fc
util.sasl.oauthbearer: Adjust parsing of GS2 to allow lack of authzid
Kim Alvefur <zash@zash.se>
parents:
12938
diff
changeset
|
19 local gs2_authzid = gs2_header:match("^[^,]*,a=([^,]*),$"); |
|
12911
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 |
|
13112
b6aaab0846fe
util.sasl.oauthbearer: Tighter parsing of SASL message
Kim Alvefur <zash@zash.se>
parents:
12975
diff
changeset
|
21 -- key "=" value kvsep |
|
12911
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
22 local auth_header; |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
23 for k, v in kvpairs:gmatch("([a-zA-Z]+)=([\033-\126 \009\r\n]*)\001") do |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
24 if k == "auth" then |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
25 auth_header = v; |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
26 break; |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
27 end |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
28 end |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
29 |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
30 if not auth_header then |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
31 return "failure", "malformed-request"; |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
32 end |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
33 |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
34 local token = auth_header:match("^Bearer (.+)$"); |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
35 |
|
12938
055b03d3059b
util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
Kim Alvefur <zash@zash.se>
parents:
12937
diff
changeset
|
36 local username, state, token_info = self.profile.oauthbearer(self, token, self.realm, gs2_authzid); |
|
12911
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
37 |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
38 if state == false then |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
39 return "failure", "account-disabled"; |
|
12938
055b03d3059b
util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
Kim Alvefur <zash@zash.se>
parents:
12937
diff
changeset
|
40 elseif state == nil or not username then |
|
12911
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
41 -- For token-level errors, RFC 7628 demands use of a JSON-encoded |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
42 -- challenge response upon failure. We relay additional info from |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
43 -- the auth backend if available. |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
44 return "challenge", json.encode({ |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
45 status = token_info and token_info.status or "invalid_token"; |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
46 scope = token_info and token_info.scope or nil; |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
47 ["openid-configuration"] = token_info and token_info.oidc_discovery_url or nil; |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
48 }); |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
49 end |
|
12938
055b03d3059b
util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
Kim Alvefur <zash@zash.se>
parents:
12937
diff
changeset
|
50 self.username = username; |
|
12937
23b20ede9c34
util.sasl.oauthbearer: Fix syntax error in b796e08e6376
Matthew Wild <mwild1@gmail.com>
parents:
12936
diff
changeset
|
51 self.token_info = token_info; |
|
12936
b796e08e6376
util.sasl.oauthbearer: Attach token_info to sasl handler
Matthew Wild <mwild1@gmail.com>
parents:
12918
diff
changeset
|
52 |
|
12911
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
53 return "success"; |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
54 end |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
55 |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
56 local function init(registerMechanism) |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
57 registerMechanism("OAUTHBEARER", {"oauthbearer"}, oauthbearer); |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
58 end |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
59 |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
60 return { |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
61 init = init; |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
62 } |
