prosody
612467e263af
plugins/mod_s2s/mod_s2s.lua
Software / code / prosody
Comparison
plugins/mod_s2s/mod_s2s.lua @ 5362:612467e263af
s2smanager, mod_s2s, mod_dialback, mod_saslauth: Move s2smanager.make_authenticated() to mod_s2s, and plugins now signal authentication via the s2s-authenticated event
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Fri, 22 Mar 2013 14:18:23 +0000 |
| parent | 5351:901ed253bbf7 |
| child | 5363:f29c26da7ecc |
comparison
equal
deleted
inserted
replaced
| 5361:38e7a5fafb28 | 5362:612467e263af |
|---|---|
| 22 local nameprep = require "util.encodings".stringprep.nameprep; | 22 local nameprep = require "util.encodings".stringprep.nameprep; |
| 23 local new_xmpp_stream = require "util.xmppstream".new; | 23 local new_xmpp_stream = require "util.xmppstream".new; |
| 24 local s2s_new_incoming = require "core.s2smanager".new_incoming; | 24 local s2s_new_incoming = require "core.s2smanager".new_incoming; |
| 25 local s2s_new_outgoing = require "core.s2smanager".new_outgoing; | 25 local s2s_new_outgoing = require "core.s2smanager".new_outgoing; |
| 26 local s2s_destroy_session = require "core.s2smanager".destroy_session; | 26 local s2s_destroy_session = require "core.s2smanager".destroy_session; |
| 27 local s2s_mark_connected = require "core.s2smanager".mark_connected; | |
| 28 local uuid_gen = require "util.uuid".generate; | 27 local uuid_gen = require "util.uuid".generate; |
| 29 local cert_verify_identity = require "util.x509".verify_identity; | 28 local cert_verify_identity = require "util.x509".verify_identity; |
| 29 local fire_global_event = prosody.events.fire_event; | |
| 30 | 30 |
| 31 local s2sout = module:require("s2sout"); | 31 local s2sout = module:require("s2sout"); |
| 32 | 32 |
| 33 local connect_timeout = module:get_option_number("s2s_timeout", 90); | 33 local connect_timeout = module:get_option_number("s2s_timeout", 90); |
| 34 local stream_close_timeout = module:get_option_number("s2s_close_timeout", 5); | 34 local stream_close_timeout = module:get_option_number("s2s_close_timeout", 5); |
| 35 | |
| 36 local require_encryption = module:get_option_boolean("s2s_require_encryption", secure_auth); | |
| 35 | 37 |
| 36 local sessions = module:shared("sessions"); | 38 local sessions = module:shared("sessions"); |
| 37 | 39 |
| 38 local log = module._log; | 40 local log = module._log; |
| 39 | 41 |
| 130 module:log("warn", "The 'disallow_s2s' config option is deprecated, please see http://prosody.im/doc/s2s#disabling"); | 132 module:log("warn", "The 'disallow_s2s' config option is deprecated, please see http://prosody.im/doc/s2s#disabling"); |
| 131 return nil, "This host has disallow_s2s set"; | 133 return nil, "This host has disallow_s2s set"; |
| 132 end | 134 end |
| 133 module:hook("route/remote", route_to_existing_session, 200); | 135 module:hook("route/remote", route_to_existing_session, 200); |
| 134 module:hook("route/remote", route_to_new_session, 100); | 136 module:hook("route/remote", route_to_new_session, 100); |
| 137 module:hook("s2s-authenticated", make_authenticated, -1); | |
| 138 end | |
| 139 | |
| 140 -- Stream is authorised, and ready for normal stanzas | |
| 141 function mark_connected(session) | |
| 142 local sendq, send = session.sendq, session.sends2s; | |
| 143 | |
| 144 local from, to = session.from_host, session.to_host; | |
| 145 | |
| 146 session.log("info", "%s s2s connection %s->%s complete", session.direction, from, to); | |
| 147 | |
| 148 local event_data = { session = session }; | |
| 149 if session.type == "s2sout" then | |
| 150 fire_global_event("s2sout-established", event_data); | |
| 151 hosts[from].events.fire_event("s2sout-established", event_data); | |
| 152 else | |
| 153 local host_session = hosts[to]; | |
| 154 session.send = function(stanza) | |
| 155 return host_session.events.fire_event("route/remote", { from_host = to, to_host = from, stanza = stanza }); | |
| 156 end; | |
| 157 | |
| 158 fire_global_event("s2sin-established", event_data); | |
| 159 hosts[to].events.fire_event("s2sin-established", event_data); | |
| 160 end | |
| 161 | |
| 162 if session.direction == "outgoing" then | |
| 163 if sendq then | |
| 164 session.log("debug", "sending %d queued stanzas across new outgoing connection to %s", #sendq, session.to_host); | |
| 165 for i, data in ipairs(sendq) do | |
| 166 send(data[1]); | |
| 167 sendq[i] = nil; | |
| 168 end | |
| 169 session.sendq = nil; | |
| 170 end | |
| 171 | |
| 172 session.ip_hosts = nil; | |
| 173 session.srv_hosts = nil; | |
| 174 end | |
| 175 end | |
| 176 | |
| 177 function make_authenticated(event) | |
| 178 local session, host = event.session, event.host; | |
| 179 if not session.secure then | |
| 180 if require_encryption or secure_auth or secure_domains[host] then | |
| 181 session:close({ | |
| 182 condition = "policy-violation", | |
| 183 text = "Encrypted server-to-server communication is required but was not " | |
| 184 ..((session.direction == "outgoing" and "offered") or "used") | |
| 185 }); | |
| 186 end | |
| 187 end | |
| 188 if session.type == "s2sout_unauthed" then | |
| 189 session.type = "s2sout"; | |
| 190 elseif session.type == "s2sin_unauthed" then | |
| 191 session.type = "s2sin"; | |
| 192 if host then | |
| 193 if not session.hosts[host] then session.hosts[host] = {}; end | |
| 194 session.hosts[host].authed = true; | |
| 195 end | |
| 196 elseif session.type == "s2sin" and host then | |
| 197 if not session.hosts[host] then session.hosts[host] = {}; end | |
| 198 session.hosts[host].authed = true; | |
| 199 else | |
| 200 return false; | |
| 201 end | |
| 202 session.log("debug", "connection %s->%s is now authenticated for %s", session.from_host, session.to_host, host); | |
| 203 | |
| 204 mark_connected(session); | |
| 205 | |
| 206 return true; | |
| 135 end | 207 end |
| 136 | 208 |
| 137 --- Helper to check that a session peer's certificate is valid | 209 --- Helper to check that a session peer's certificate is valid |
| 138 local function check_cert_status(session) | 210 local function check_cert_status(session) |
| 139 local host = session.direction == "incoming" and session.from_host or session.to_host | 211 local host = session.direction == "incoming" and session.from_host or session.to_host |
| 285 -- If server is pre-1.0, don't wait for features, just do dialback | 357 -- If server is pre-1.0, don't wait for features, just do dialback |
| 286 if session.version < 1.0 then | 358 if session.version < 1.0 then |
| 287 if not session.dialback_verifying then | 359 if not session.dialback_verifying then |
| 288 hosts[session.from_host].events.fire_event("s2sout-authenticate-legacy", { origin = session }); | 360 hosts[session.from_host].events.fire_event("s2sout-authenticate-legacy", { origin = session }); |
| 289 else | 361 else |
| 290 s2s_mark_connected(session); | 362 mark_connected(session); |
| 291 end | 363 end |
| 292 end | 364 end |
| 293 end | 365 end |
| 294 session.notopen = nil; | 366 session.notopen = nil; |
| 295 end | 367 end |
