Software /
code /
prosody
Annotate
util/sasl/oauthbearer.lua @ 13055:e732f9dfdfc8
mod_mam: port to use util.human.io.parse_duration
Updated by Zash, the original patch by Jonas had put the duration
parsing function in util.datetime but MattJ later did the same thing but
differently in f4d7fe919969
author | Jonas Schäfer <jonas@wielicki.name> |
---|---|
date | Thu, 28 Apr 2022 20:38:40 +0200 |
parent | 12975:d10957394a3c |
child | 13112:b6aaab0846fe |
rev | line source |
---|---|
12975
d10957394a3c
util: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12951
diff
changeset
|
1 local json = require "prosody.util.json"; |
12911
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
2 local _ENV = nil; |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
3 |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
4 |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
5 local function oauthbearer(self, message) |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
6 if not message then |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
7 return "failure", "malformed-request"; |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
8 end |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
9 |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
10 if message == "\001" then |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
11 return "failure", "not-authorized"; |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
12 end |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
13 |
12951
4cc0785f960e
util.sasl.oauthbearer: Fix gs2-header parsing
Matthew Wild <mwild1@gmail.com>
parents:
12940
diff
changeset
|
14 local gs2_header, kvpairs = message:match("^(n,[^,]*,)(.+)$"); |
12940
2aebd9bf02fc
util.sasl.oauthbearer: Adjust parsing of GS2 to allow lack of authzid
Kim Alvefur <zash@zash.se>
parents:
12938
diff
changeset
|
15 if not gs2_header then |
12911
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
16 return "failure", "malformed-request"; |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
17 end |
12940
2aebd9bf02fc
util.sasl.oauthbearer: Adjust parsing of GS2 to allow lack of authzid
Kim Alvefur <zash@zash.se>
parents:
12938
diff
changeset
|
18 local gs2_authzid = gs2_header:match("^[^,]*,a=([^,]*),$"); |
12911
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
19 |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 local auth_header; |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
21 for k, v in kvpairs:gmatch("([a-zA-Z]+)=([\033-\126 \009\r\n]*)\001") do |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
22 if k == "auth" then |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
23 auth_header = v; |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
24 break; |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
25 end |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
26 end |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
27 |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
28 if not auth_header then |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
29 return "failure", "malformed-request"; |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
30 end |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
31 |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
32 local token = auth_header:match("^Bearer (.+)$"); |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
33 |
12938
055b03d3059b
util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
Kim Alvefur <zash@zash.se>
parents:
12937
diff
changeset
|
34 local username, state, token_info = self.profile.oauthbearer(self, token, self.realm, gs2_authzid); |
12911
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
35 |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
36 if state == false then |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
37 return "failure", "account-disabled"; |
12938
055b03d3059b
util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
Kim Alvefur <zash@zash.se>
parents:
12937
diff
changeset
|
38 elseif state == nil or not username then |
12911
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
39 -- For token-level errors, RFC 7628 demands use of a JSON-encoded |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
40 -- challenge response upon failure. We relay additional info from |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
41 -- the auth backend if available. |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
42 return "challenge", json.encode({ |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
43 status = token_info and token_info.status or "invalid_token"; |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
44 scope = token_info and token_info.scope or nil; |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
45 ["openid-configuration"] = token_info and token_info.oidc_discovery_url or nil; |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
46 }); |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
47 end |
12938
055b03d3059b
util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
Kim Alvefur <zash@zash.se>
parents:
12937
diff
changeset
|
48 self.username = username; |
12937
23b20ede9c34
util.sasl.oauthbearer: Fix syntax error in b796e08e6376
Matthew Wild <mwild1@gmail.com>
parents:
12936
diff
changeset
|
49 self.token_info = token_info; |
12936
b796e08e6376
util.sasl.oauthbearer: Attach token_info to sasl handler
Matthew Wild <mwild1@gmail.com>
parents:
12918
diff
changeset
|
50 |
12911
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
51 return "success"; |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
52 end |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
53 |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
54 local function init(registerMechanism) |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
55 registerMechanism("OAUTHBEARER", {"oauthbearer"}, oauthbearer); |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
56 end |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
57 |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
58 return { |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
59 init = init; |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
60 } |