Annotate

plugins/mod_saslauth.lua @ 2784:e165414a454c

mod_saslauth: Requiring c2s encryption means requiring c2s encryption... thanks Flo
author Matthew Wild <mwild1@gmail.com>
date Mon, 21 Dec 2009 22:00:49 +0000
parent 2014:913c0845ef9a
child 2877:1edeb8fe7d14
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1523
841d61be198f Remove version number from copyright headers
Matthew Wild <mwild1@gmail.com>
parents: 1486
diff changeset
1 -- Prosody IM
760
90ce865eebd8 Update copyright notices for 2009
Matthew Wild <mwild1@gmail.com>
parents: 759
diff changeset
2 -- Copyright (C) 2008-2009 Matthew Wild
90ce865eebd8 Update copyright notices for 2009
Matthew Wild <mwild1@gmail.com>
parents: 759
diff changeset
3 -- Copyright (C) 2008-2009 Waqas Hussain
519
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 449
diff changeset
4 --
758
b1885732e979 GPL->MIT!
Matthew Wild <mwild1@gmail.com>
parents: 724
diff changeset
5 -- This project is MIT/X11 licensed. Please see the
b1885732e979 GPL->MIT!
Matthew Wild <mwild1@gmail.com>
parents: 724
diff changeset
6 -- COPYING file in the source package for more information.
519
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 449
diff changeset
7 --
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 449
diff changeset
8
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 449
diff changeset
9
38
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
10
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
11 local st = require "util.stanza";
46
d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents: 38
diff changeset
12 local sm_bind_resource = require "core.sessionmanager".bind_resource;
1042
a3d77353c18a mod_*: Fix a load of global accesses
Matthew Wild <mwild1@gmail.com>
parents: 938
diff changeset
13 local sm_make_authenticated = require "core.sessionmanager".make_authenticated;
447
c0dae734d3bf Stopped using the lbase64 library
Waqas Hussain <waqas20@gmail.com>
parents: 438
diff changeset
14 local base64 = require "util.encodings".base64;
38
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
15
1721
1dcfb2c64302 Use NODEprep for prepping usernames used during SASL logins.
Tobias Markmann <tm@ayena.de>
parents: 1523
diff changeset
16 local nodeprep = require "util.encodings".stringprep.nodeprep;
1042
a3d77353c18a mod_*: Fix a load of global accesses
Matthew Wild <mwild1@gmail.com>
parents: 938
diff changeset
17 local datamanager_load = require "util.datamanager".load;
38
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
18 local usermanager_validate_credentials = require "core.usermanager".validate_credentials;
1584
ffe8a9296e04 mod_saslauth, usermanager: Fetch list of mechanisms from usermanager
Nick Thomas
parents: 1523
diff changeset
19 local usermanager_get_supported_methods = require "core.usermanager".get_supported_methods;
1585
edc066730d11 Switch to using a more generic credentials_callback/handler for SASL auth.
nick@lupine.me.uk
parents: 1584
diff changeset
20 local usermanager_user_exists = require "core.usermanager".user_exists;
edc066730d11 Switch to using a more generic credentials_callback/handler for SASL auth.
nick@lupine.me.uk
parents: 1584
diff changeset
21 local usermanager_get_password = require "core.usermanager".get_password;
46
d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents: 38
diff changeset
22 local t_concat, t_insert = table.concat, table.insert;
38
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
23 local tostring = tostring;
288
dc53343af9ac Set username in a SASL object.
Tobias Markmann <tm@ayena.de>
parents: 286
diff changeset
24 local jid_split = require "util.jid".split
449
c0a4a1e63d70 Completely switched to new hashes library from the old md5 library
Waqas Hussain <waqas20@gmail.com>
parents: 447
diff changeset
25 local md5 = require "util.hashes".md5;
887
eef21d7bbe04 mod_saslauth: Disable SASL ANONYMOUS unless explicitly enabled with sasl_anonymous = true
Matthew Wild <mwild1@gmail.com>
parents: 799
diff changeset
26 local config = require "core.configmanager";
38
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
27
1912
126401a7159f require_encryption deprecated, use c2s_require_encryption instead
Matthew Wild <mwild1@gmail.com>
parents: 1847
diff changeset
28 local secure_auth_only = config.get(module:get_host(), "core", "c2s_require_encryption") or config.get(module:get_host(), "core", "require_encryption");
1216
fd8ce71bc72b mod_saslauth, mod_legacyauth: Deny logins to unsecure sessions when require_encryption config option is true
Matthew Wild <mwild1@gmail.com>
parents: 1186
diff changeset
29
1071
216f9a9001f1 mod_saslauth: Use module logger instead of creating a new one
Matthew Wild <mwild1@gmail.com>
parents: 1042
diff changeset
30 local log = module._log;
38
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
31
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
32 local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl';
46
d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents: 38
diff changeset
33 local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind';
d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents: 38
diff changeset
34 local xmlns_stanzas ='urn:ietf:params:xml:ns:xmpp-stanzas';
38
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
35
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
36 local new_sasl = require "util.sasl".new;
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
37
292
33175ad2f682 Started using realm in password hashing, and added support for error message replies from sasl
Waqas Hussain <waqas20@gmail.com>
parents: 291
diff changeset
38 local function build_reply(status, ret, err_msg)
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
39 local reply = st.stanza(status, {xmlns = xmlns_sasl});
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
40 if status == "challenge" then
1072
c7967004b5d0 mod_saslauth: Various logging fixes
Matthew Wild <mwild1@gmail.com>
parents: 1071
diff changeset
41 log("debug", "%s", ret or "");
293
b446de4e258e base64 encode the sasl responses
Waqas Hussain <waqas20@gmail.com>
parents: 292
diff changeset
42 reply:text(base64.encode(ret or ""));
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
43 elseif status == "failure" then
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
44 reply:tag(ret):up();
293
b446de4e258e base64 encode the sasl responses
Waqas Hussain <waqas20@gmail.com>
parents: 292
diff changeset
45 if err_msg then reply:tag("text"):text(err_msg); end
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
46 elseif status == "success" then
1072
c7967004b5d0 mod_saslauth: Various logging fixes
Matthew Wild <mwild1@gmail.com>
parents: 1071
diff changeset
47 log("debug", "%s", ret or "");
293
b446de4e258e base64 encode the sasl responses
Waqas Hussain <waqas20@gmail.com>
parents: 292
diff changeset
48 reply:text(base64.encode(ret or ""));
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
49 else
1073
7c20373d4451 mod_saslauth: Remove 2 instances of raising errors and replacing with more graceful handling
Matthew Wild <mwild1@gmail.com>
parents: 1072
diff changeset
50 module:log("error", "Unknown sasl status: %s", status);
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
51 end
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
52 return reply;
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
53 end
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
54
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
55 local function handle_status(session, status)
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
56 if status == "failure" then
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
57 session.sasl_handler = nil;
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
58 elseif status == "success" then
1846
fdb43fc1bafc mod_saslauth: Prep username used for authenticating a session
Matthew Wild <mwild1@gmail.com>
parents: 1721
diff changeset
59 local username = nodeprep(session.sasl_handler.username);
fdb43fc1bafc mod_saslauth: Prep username used for authenticating a session
Matthew Wild <mwild1@gmail.com>
parents: 1721
diff changeset
60 session.sasl_handler = nil;
fdb43fc1bafc mod_saslauth: Prep username used for authenticating a session
Matthew Wild <mwild1@gmail.com>
parents: 1721
diff changeset
61 if not username then -- TODO move this to sessionmanager
1073
7c20373d4451 mod_saslauth: Remove 2 instances of raising errors and replacing with more graceful handling
Matthew Wild <mwild1@gmail.com>
parents: 1072
diff changeset
62 module:log("warn", "SASL succeeded but we didn't get a username!");
7c20373d4451 mod_saslauth: Remove 2 instances of raising errors and replacing with more graceful handling
Matthew Wild <mwild1@gmail.com>
parents: 1072
diff changeset
63 session.sasl_handler = nil;
7c20373d4451 mod_saslauth: Remove 2 instances of raising errors and replacing with more graceful handling
Matthew Wild <mwild1@gmail.com>
parents: 1072
diff changeset
64 session:reset_stream();
7c20373d4451 mod_saslauth: Remove 2 instances of raising errors and replacing with more graceful handling
Matthew Wild <mwild1@gmail.com>
parents: 1072
diff changeset
65 return;
7c20373d4451 mod_saslauth: Remove 2 instances of raising errors and replacing with more graceful handling
Matthew Wild <mwild1@gmail.com>
parents: 1072
diff changeset
66 end
1846
fdb43fc1bafc mod_saslauth: Prep username used for authenticating a session
Matthew Wild <mwild1@gmail.com>
parents: 1721
diff changeset
67 sm_make_authenticated(session, username);
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
68 session:reset_stream();
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
69 end
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
70 end
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
71
1585
edc066730d11 Switch to using a more generic credentials_callback/handler for SASL auth.
nick@lupine.me.uk
parents: 1584
diff changeset
72 local function credentials_callback(mechanism, ...)
1638
6fd0c2f46b21 mod_saslauth: Fix indentation
Matthew Wild <mwild1@gmail.com>
parents: 1637
diff changeset
73 if mechanism == "PLAIN" then
1639
0914d128c55e mod_saslauth: Fix coding style and layout, and use of arg[] for vararg
Matthew Wild <mwild1@gmail.com>
parents: 1638
diff changeset
74 local username, hostname, password = ...;
1725
fb3137652ea6 Uncertain merge with 0.5's SASL
Matthew Wild <mwild1@gmail.com>
parents: 1639 1721
diff changeset
75 username = nodeprep(username);
fb3137652ea6 Uncertain merge with 0.5's SASL
Matthew Wild <mwild1@gmail.com>
parents: 1639 1721
diff changeset
76 if not username then
fb3137652ea6 Uncertain merge with 0.5's SASL
Matthew Wild <mwild1@gmail.com>
parents: 1639 1721
diff changeset
77 return false;
fb3137652ea6 Uncertain merge with 0.5's SASL
Matthew Wild <mwild1@gmail.com>
parents: 1639 1721
diff changeset
78 end
1639
0914d128c55e mod_saslauth: Fix coding style and layout, and use of arg[] for vararg
Matthew Wild <mwild1@gmail.com>
parents: 1638
diff changeset
79 local response = usermanager_validate_credentials(hostname, username, password, mechanism);
0914d128c55e mod_saslauth: Fix coding style and layout, and use of arg[] for vararg
Matthew Wild <mwild1@gmail.com>
parents: 1638
diff changeset
80 if response == nil then
0914d128c55e mod_saslauth: Fix coding style and layout, and use of arg[] for vararg
Matthew Wild <mwild1@gmail.com>
parents: 1638
diff changeset
81 return false;
0914d128c55e mod_saslauth: Fix coding style and layout, and use of arg[] for vararg
Matthew Wild <mwild1@gmail.com>
parents: 1638
diff changeset
82 else
0914d128c55e mod_saslauth: Fix coding style and layout, and use of arg[] for vararg
Matthew Wild <mwild1@gmail.com>
parents: 1638
diff changeset
83 return response;
0914d128c55e mod_saslauth: Fix coding style and layout, and use of arg[] for vararg
Matthew Wild <mwild1@gmail.com>
parents: 1638
diff changeset
84 end
1638
6fd0c2f46b21 mod_saslauth: Fix indentation
Matthew Wild <mwild1@gmail.com>
parents: 1637
diff changeset
85 elseif mechanism == "DIGEST-MD5" then
2014
913c0845ef9a mod_saslauth: Fixed access of globals.
Waqas Hussain <waqas20@gmail.com>
parents: 2013
diff changeset
86 local function func(x) return x; end
1639
0914d128c55e mod_saslauth: Fix coding style and layout, and use of arg[] for vararg
Matthew Wild <mwild1@gmail.com>
parents: 1638
diff changeset
87 local node, domain, realm, decoder = ...;
1758
5acbf4318715 Add NODEprepping to SASL Digest-MD5 authentication handling.
Tobias Markmann <tm@ayena.de>
parents: 1725
diff changeset
88 local prepped_node = nodeprep(node);
5acbf4318715 Add NODEprepping to SASL Digest-MD5 authentication handling.
Tobias Markmann <tm@ayena.de>
parents: 1725
diff changeset
89 if not prepped_node then
5acbf4318715 Add NODEprepping to SASL Digest-MD5 authentication handling.
Tobias Markmann <tm@ayena.de>
parents: 1725
diff changeset
90 return func, nil;
5acbf4318715 Add NODEprepping to SASL Digest-MD5 authentication handling.
Tobias Markmann <tm@ayena.de>
parents: 1725
diff changeset
91 end
5acbf4318715 Add NODEprepping to SASL Digest-MD5 authentication handling.
Tobias Markmann <tm@ayena.de>
parents: 1725
diff changeset
92 local password = usermanager_get_password(prepped_node, domain);
1638
6fd0c2f46b21 mod_saslauth: Fix indentation
Matthew Wild <mwild1@gmail.com>
parents: 1637
diff changeset
93 if password then
1639
0914d128c55e mod_saslauth: Fix coding style and layout, and use of arg[] for vararg
Matthew Wild <mwild1@gmail.com>
parents: 1638
diff changeset
94 if decoder then
0914d128c55e mod_saslauth: Fix coding style and layout, and use of arg[] for vararg
Matthew Wild <mwild1@gmail.com>
parents: 1638
diff changeset
95 node, realm, password = decoder(node), decoder(realm), decoder(password);
0914d128c55e mod_saslauth: Fix coding style and layout, and use of arg[] for vararg
Matthew Wild <mwild1@gmail.com>
parents: 1638
diff changeset
96 end
1375
50ee4b327f86 Adding a parameter for realm to the password_callback.
Tobias Markmann <tm@ayena.de>
parents: 1217
diff changeset
97 return func, md5(node..":"..realm..":"..password);
1638
6fd0c2f46b21 mod_saslauth: Fix indentation
Matthew Wild <mwild1@gmail.com>
parents: 1637
diff changeset
98 else
6fd0c2f46b21 mod_saslauth: Fix indentation
Matthew Wild <mwild1@gmail.com>
parents: 1637
diff changeset
99 return func, nil;
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
100 end
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
101 end
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
102 end
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
103
705
11afa1d88c55 mod_saslauth, mod_tls: minor code cleanup
Waqas Hussain <waqas20@gmail.com>
parents: 615
diff changeset
104 local function sasl_handler(session, stanza)
295
bb078eb1f1de mod_saslauth: Code cleanup
Waqas Hussain <waqas20@gmail.com>
parents: 293
diff changeset
105 if stanza.name == "auth" then
bb078eb1f1de mod_saslauth: Code cleanup
Waqas Hussain <waqas20@gmail.com>
parents: 293
diff changeset
106 -- FIXME ignoring duplicates because ejabberd does
1186
078eb3b109e9 mod_saslauth: Fix logic error which prevented SASL ANONYMOUS from working
Matthew Wild <mwild1@gmail.com>
parents: 1073
diff changeset
107 if config.get(session.host or "*", "core", "anonymous_login") then
078eb3b109e9 mod_saslauth: Fix logic error which prevented SASL ANONYMOUS from working
Matthew Wild <mwild1@gmail.com>
parents: 1073
diff changeset
108 if stanza.attr.mechanism ~= "ANONYMOUS" then
078eb3b109e9 mod_saslauth: Fix logic error which prevented SASL ANONYMOUS from working
Matthew Wild <mwild1@gmail.com>
parents: 1073
diff changeset
109 return session.send(build_reply("failure", "invalid-mechanism"));
078eb3b109e9 mod_saslauth: Fix logic error which prevented SASL ANONYMOUS from working
Matthew Wild <mwild1@gmail.com>
parents: 1073
diff changeset
110 end
938
663f75dd7b42 Fixed: Some nil access bugs
Waqas Hussain <waqas20@gmail.com>
parents: 935
diff changeset
111 elseif stanza.attr.mechanism == "ANONYMOUS" then
935
efe3eaaeff34 Fixed: mod_saslauth: "anonymous_login" currently makes SASL ANONYMOUS an exclusive mechanism. Corrected advertised mechanisms and error replies.
Waqas Hussain <waqas20@gmail.com>
parents: 934
diff changeset
112 return session.send(build_reply("failure", "mechanism-too-weak"));
efe3eaaeff34 Fixed: mod_saslauth: "anonymous_login" currently makes SASL ANONYMOUS an exclusive mechanism. Corrected advertised mechanisms and error replies.
Waqas Hussain <waqas20@gmail.com>
parents: 934
diff changeset
113 end
1585
edc066730d11 Switch to using a more generic credentials_callback/handler for SASL auth.
nick@lupine.me.uk
parents: 1584
diff changeset
114 session.sasl_handler = new_sasl(stanza.attr.mechanism, session.host, credentials_callback);
935
efe3eaaeff34 Fixed: mod_saslauth: "anonymous_login" currently makes SASL ANONYMOUS an exclusive mechanism. Corrected advertised mechanisms and error replies.
Waqas Hussain <waqas20@gmail.com>
parents: 934
diff changeset
115 if not session.sasl_handler then
efe3eaaeff34 Fixed: mod_saslauth: "anonymous_login" currently makes SASL ANONYMOUS an exclusive mechanism. Corrected advertised mechanisms and error replies.
Waqas Hussain <waqas20@gmail.com>
parents: 934
diff changeset
116 return session.send(build_reply("failure", "invalid-mechanism"));
efe3eaaeff34 Fixed: mod_saslauth: "anonymous_login" currently makes SASL ANONYMOUS an exclusive mechanism. Corrected advertised mechanisms and error replies.
Waqas Hussain <waqas20@gmail.com>
parents: 934
diff changeset
117 end
2784
e165414a454c mod_saslauth: Requiring c2s encryption means requiring c2s encryption... thanks Flo
Matthew Wild <mwild1@gmail.com>
parents: 2014
diff changeset
118 if secure_auth_only and not session.secure then
e165414a454c mod_saslauth: Requiring c2s encryption means requiring c2s encryption... thanks Flo
Matthew Wild <mwild1@gmail.com>
parents: 2014
diff changeset
119 return session.send(build_reply("failure", "encryption-required"));
e165414a454c mod_saslauth: Requiring c2s encryption means requiring c2s encryption... thanks Flo
Matthew Wild <mwild1@gmail.com>
parents: 2014
diff changeset
120 end
295
bb078eb1f1de mod_saslauth: Code cleanup
Waqas Hussain <waqas20@gmail.com>
parents: 293
diff changeset
121 elseif not session.sasl_handler then
bb078eb1f1de mod_saslauth: Code cleanup
Waqas Hussain <waqas20@gmail.com>
parents: 293
diff changeset
122 return; -- FIXME ignoring out of order stanzas because ejabberd does
bb078eb1f1de mod_saslauth: Code cleanup
Waqas Hussain <waqas20@gmail.com>
parents: 293
diff changeset
123 end
284
4f540755260c mod_saslauth: Added base64 decoding, encoding check, and cleaned the code up.
Waqas Hussain <waqas20@gmail.com>
parents: 281
diff changeset
124 local text = stanza[1];
4f540755260c mod_saslauth: Added base64 decoding, encoding check, and cleaned the code up.
Waqas Hussain <waqas20@gmail.com>
parents: 281
diff changeset
125 if text then
4f540755260c mod_saslauth: Added base64 decoding, encoding check, and cleaned the code up.
Waqas Hussain <waqas20@gmail.com>
parents: 281
diff changeset
126 text = base64.decode(text);
1072
c7967004b5d0 mod_saslauth: Various logging fixes
Matthew Wild <mwild1@gmail.com>
parents: 1071
diff changeset
127 log("debug", "%s", text);
284
4f540755260c mod_saslauth: Added base64 decoding, encoding check, and cleaned the code up.
Waqas Hussain <waqas20@gmail.com>
parents: 281
diff changeset
128 if not text then
4f540755260c mod_saslauth: Added base64 decoding, encoding check, and cleaned the code up.
Waqas Hussain <waqas20@gmail.com>
parents: 281
diff changeset
129 session.sasl_handler = nil;
4f540755260c mod_saslauth: Added base64 decoding, encoding check, and cleaned the code up.
Waqas Hussain <waqas20@gmail.com>
parents: 281
diff changeset
130 session.send(build_reply("failure", "incorrect-encoding"));
4f540755260c mod_saslauth: Added base64 decoding, encoding check, and cleaned the code up.
Waqas Hussain <waqas20@gmail.com>
parents: 281
diff changeset
131 return;
4f540755260c mod_saslauth: Added base64 decoding, encoding check, and cleaned the code up.
Waqas Hussain <waqas20@gmail.com>
parents: 281
diff changeset
132 end
4f540755260c mod_saslauth: Added base64 decoding, encoding check, and cleaned the code up.
Waqas Hussain <waqas20@gmail.com>
parents: 281
diff changeset
133 end
292
33175ad2f682 Started using realm in password hashing, and added support for error message replies from sasl
Waqas Hussain <waqas20@gmail.com>
parents: 291
diff changeset
134 local status, ret, err_msg = session.sasl_handler:feed(text);
284
4f540755260c mod_saslauth: Added base64 decoding, encoding check, and cleaned the code up.
Waqas Hussain <waqas20@gmail.com>
parents: 281
diff changeset
135 handle_status(session, status);
1584
ffe8a9296e04 mod_saslauth, usermanager: Fetch list of mechanisms from usermanager
Nick Thomas
parents: 1523
diff changeset
136 local s = build_reply(status, ret, err_msg);
1072
c7967004b5d0 mod_saslauth: Various logging fixes
Matthew Wild <mwild1@gmail.com>
parents: 1071
diff changeset
137 log("debug", "sasl reply: %s", tostring(s));
288
dc53343af9ac Set username in a SASL object.
Tobias Markmann <tm@ayena.de>
parents: 286
diff changeset
138 session.send(s);
284
4f540755260c mod_saslauth: Added base64 decoding, encoding check, and cleaned the code up.
Waqas Hussain <waqas20@gmail.com>
parents: 281
diff changeset
139 end
4f540755260c mod_saslauth: Added base64 decoding, encoding check, and cleaned the code up.
Waqas Hussain <waqas20@gmail.com>
parents: 281
diff changeset
140
438
193f9dd64f17 Bumper commit for the new modulemanager API \o/ Updates all the modules, though some more changes may be in store.
Matthew Wild <mwild1@gmail.com>
parents: 357
diff changeset
141 module:add_handler("c2s_unauthed", "auth", xmlns_sasl, sasl_handler);
193f9dd64f17 Bumper commit for the new modulemanager API \o/ Updates all the modules, though some more changes may be in store.
Matthew Wild <mwild1@gmail.com>
parents: 357
diff changeset
142 module:add_handler("c2s_unauthed", "abort", xmlns_sasl, sasl_handler);
193f9dd64f17 Bumper commit for the new modulemanager API \o/ Updates all the modules, though some more changes may be in store.
Matthew Wild <mwild1@gmail.com>
parents: 357
diff changeset
143 module:add_handler("c2s_unauthed", "response", xmlns_sasl, sasl_handler);
284
4f540755260c mod_saslauth: Added base64 decoding, encoding check, and cleaned the code up.
Waqas Hussain <waqas20@gmail.com>
parents: 281
diff changeset
144
357
17bcecb06420 Use a stanza for c2s stream features instead of an array of strings. Removes a FIXME.
Matthew Wild <mwild1@gmail.com>
parents: 313
diff changeset
145 local mechanisms_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-sasl' };
17bcecb06420 Use a stanza for c2s stream features instead of an array of strings. Removes a FIXME.
Matthew Wild <mwild1@gmail.com>
parents: 313
diff changeset
146 local bind_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-bind' };
17bcecb06420 Use a stanza for c2s stream features instead of an array of strings. Removes a FIXME.
Matthew Wild <mwild1@gmail.com>
parents: 313
diff changeset
147 local xmpp_session_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-session' };
1584
ffe8a9296e04 mod_saslauth, usermanager: Fetch list of mechanisms from usermanager
Nick Thomas
parents: 1523
diff changeset
148 module:add_event_hook("stream-features",
ffe8a9296e04 mod_saslauth, usermanager: Fetch list of mechanisms from usermanager
Nick Thomas
parents: 1523
diff changeset
149 function (session, features)
1217
844ef764ef0e mod_saslauth: Don't offer bind/session when they aren't authenticated yet :) [thanks albert, again...]
Matthew Wild <mwild1@gmail.com>
parents: 1216
diff changeset
150 if not session.username then
844ef764ef0e mod_saslauth: Don't offer bind/session when they aren't authenticated yet :) [thanks albert, again...]
Matthew Wild <mwild1@gmail.com>
parents: 1216
diff changeset
151 if secure_auth_only and not session.secure then
844ef764ef0e mod_saslauth: Don't offer bind/session when they aren't authenticated yet :) [thanks albert, again...]
Matthew Wild <mwild1@gmail.com>
parents: 1216
diff changeset
152 return;
844ef764ef0e mod_saslauth: Don't offer bind/session when they aren't authenticated yet :) [thanks albert, again...]
Matthew Wild <mwild1@gmail.com>
parents: 1216
diff changeset
153 end
705
11afa1d88c55 mod_saslauth, mod_tls: minor code cleanup
Waqas Hussain <waqas20@gmail.com>
parents: 615
diff changeset
154 features:tag("mechanisms", mechanisms_attr);
11afa1d88c55 mod_saslauth, mod_tls: minor code cleanup
Waqas Hussain <waqas20@gmail.com>
parents: 615
diff changeset
155 -- TODO: Provide PLAIN only if TLS is active, this is a SHOULD from the introduction of RFC 4616. This behavior could be overridden via configuration but will issuing a warning or so.
934
0bda9b5b6a06 Fixed: mod_saslauth: Changed anonymous host option from "sasl_anonymous" to "anonymous_login"
Waqas Hussain <waqas20@gmail.com>
parents: 896
diff changeset
156 if config.get(session.host or "*", "core", "anonymous_login") then
887
eef21d7bbe04 mod_saslauth: Disable SASL ANONYMOUS unless explicitly enabled with sasl_anonymous = true
Matthew Wild <mwild1@gmail.com>
parents: 799
diff changeset
157 features:tag("mechanism"):text("ANONYMOUS"):up();
935
efe3eaaeff34 Fixed: mod_saslauth: "anonymous_login" currently makes SASL ANONYMOUS an exclusive mechanism. Corrected advertised mechanisms and error replies.
Waqas Hussain <waqas20@gmail.com>
parents: 934
diff changeset
158 else
2014
913c0845ef9a mod_saslauth: Fixed access of globals.
Waqas Hussain <waqas20@gmail.com>
parents: 2013
diff changeset
159 local mechanisms = usermanager_get_supported_methods(session.host or "*");
1584
ffe8a9296e04 mod_saslauth, usermanager: Fetch list of mechanisms from usermanager
Nick Thomas
parents: 1523
diff changeset
160 for k, v in pairs(mechanisms) do
ffe8a9296e04 mod_saslauth, usermanager: Fetch list of mechanisms from usermanager
Nick Thomas
parents: 1523
diff changeset
161 features:tag("mechanism"):text(k):up();
ffe8a9296e04 mod_saslauth, usermanager: Fetch list of mechanisms from usermanager
Nick Thomas
parents: 1523
diff changeset
162 end
887
eef21d7bbe04 mod_saslauth: Disable SASL ANONYMOUS unless explicitly enabled with sasl_anonymous = true
Matthew Wild <mwild1@gmail.com>
parents: 799
diff changeset
163 end
705
11afa1d88c55 mod_saslauth, mod_tls: minor code cleanup
Waqas Hussain <waqas20@gmail.com>
parents: 615
diff changeset
164 features:up();
11afa1d88c55 mod_saslauth, mod_tls: minor code cleanup
Waqas Hussain <waqas20@gmail.com>
parents: 615
diff changeset
165 else
11afa1d88c55 mod_saslauth, mod_tls: minor code cleanup
Waqas Hussain <waqas20@gmail.com>
parents: 615
diff changeset
166 features:tag("bind", bind_attr):tag("required"):up():up();
2013
0bbbc9042361 mod_saslauth: Marked the im-session stream feature as optional. This allows smart clients to save a round trip.
Waqas Hussain <waqas20@gmail.com>
parents: 1912
diff changeset
167 features:tag("session", xmpp_session_attr):tag("optional"):up():up();
705
11afa1d88c55 mod_saslauth, mod_tls: minor code cleanup
Waqas Hussain <waqas20@gmail.com>
parents: 615
diff changeset
168 end
11afa1d88c55 mod_saslauth, mod_tls: minor code cleanup
Waqas Hussain <waqas20@gmail.com>
parents: 615
diff changeset
169 end);
1584
ffe8a9296e04 mod_saslauth, usermanager: Fetch list of mechanisms from usermanager
Nick Thomas
parents: 1523
diff changeset
170
ffe8a9296e04 mod_saslauth, usermanager: Fetch list of mechanisms from usermanager
Nick Thomas
parents: 1523
diff changeset
171 module:add_iq_handler("c2s", "urn:ietf:params:xml:ns:xmpp-bind",
46
d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents: 38
diff changeset
172 function (session, stanza)
1072
c7967004b5d0 mod_saslauth: Various logging fixes
Matthew Wild <mwild1@gmail.com>
parents: 1071
diff changeset
173 log("debug", "Client requesting a resource bind");
46
d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents: 38
diff changeset
174 local resource;
d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents: 38
diff changeset
175 if stanza.attr.type == "set" then
d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents: 38
diff changeset
176 local bind = stanza.tags[1];
d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents: 38
diff changeset
177 if bind and bind.attr.xmlns == xmlns_bind then
d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents: 38
diff changeset
178 resource = bind:child_with_name("resource");
d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents: 38
diff changeset
179 if resource then
d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents: 38
diff changeset
180 resource = resource[1];
d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents: 38
diff changeset
181 end
d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents: 38
diff changeset
182 end
d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents: 38
diff changeset
183 end
304
7b28fa8bbfe5 Code cleanup for resource binding
Waqas Hussain <waqas20@gmail.com>
parents: 297
diff changeset
184 local success, err_type, err, err_msg = sm_bind_resource(session, resource);
46
d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents: 38
diff changeset
185 if not success then
304
7b28fa8bbfe5 Code cleanup for resource binding
Waqas Hussain <waqas20@gmail.com>
parents: 297
diff changeset
186 session.send(st.error_reply(stanza, err_type, err, err_msg));
46
d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents: 38
diff changeset
187 else
304
7b28fa8bbfe5 Code cleanup for resource binding
Waqas Hussain <waqas20@gmail.com>
parents: 297
diff changeset
188 session.send(st.reply(stanza)
7b28fa8bbfe5 Code cleanup for resource binding
Waqas Hussain <waqas20@gmail.com>
parents: 297
diff changeset
189 :tag("bind", { xmlns = xmlns_bind})
7b28fa8bbfe5 Code cleanup for resource binding
Waqas Hussain <waqas20@gmail.com>
parents: 297
diff changeset
190 :tag("jid"):text(session.full_jid));
46
d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents: 38
diff changeset
191 end
d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents: 38
diff changeset
192 end);
1584
ffe8a9296e04 mod_saslauth, usermanager: Fetch list of mechanisms from usermanager
Nick Thomas
parents: 1523
diff changeset
193
ffe8a9296e04 mod_saslauth, usermanager: Fetch list of mechanisms from usermanager
Nick Thomas
parents: 1523
diff changeset
194 module:add_iq_handler("c2s", "urn:ietf:params:xml:ns:xmpp-session",
46
d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents: 38
diff changeset
195 function (session, stanza)
1072
c7967004b5d0 mod_saslauth: Various logging fixes
Matthew Wild <mwild1@gmail.com>
parents: 1071
diff changeset
196 log("debug", "Client requesting a session");
313
a273f3a7b8f8 Fixed mod_saslauth to use session.send for sending stanzas
Waqas Hussain <waqas20@gmail.com>
parents: 304
diff changeset
197 session.send(st.reply(stanza));
46
d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents: 38
diff changeset
198 end);