prosody
c673ff1075bd
plugins/mod_tokenauth.lua
Software / code / prosody
File
plugins/mod_tokenauth.lua @ 13461:c673ff1075bd
mod_posix: Move everything to util.startup
This allows greater control over the order of events.
Notably, the internal ordering between daemonization, initialization of
libunbound and setup of signal handling is sensitive.
libunbound starts a separate thread for processing DNS requests.
If this thread is started before signal handling has been set up, it
will not inherit the signal handlers and instead behave as it would have
before signal handlers were set up, i.e. cause the whole process to
immediately exit.
libunbound is usually initialized on the first DNS request, usually
triggered by an outgoing s2s connection attempt.
If daemonization happens before signals have been set up, signals may
not be processed at all.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sat, 23 Mar 2024 20:48:19 +0100 |
| parent | 13356:bbbda8819331 |
| child | 13638:94462d8f2fa9 |
line wrap: on
line source
local base64 = require "prosody.util.encodings".base64; local hashes = require "prosody.util.hashes"; local id = require "prosody.util.id"; local jid = require "prosody.util.jid"; local random = require "prosody.util.random"; local usermanager = require "prosody.core.usermanager"; local generate_identifier = require "prosody.util.id".short; local token_store = module:open_store("auth_tokens", "keyval+"); local access_time_granularity = module:get_option_period("token_auth_access_time_granularity", 60); local empty_grant_lifetime = module:get_option_period("tokenless_grant_ttl", "2w"); local function select_role(username, host, role_name) if not role_name then return end local role = usermanager.get_role_by_name(role_name, host); if not role then return end if not usermanager.user_can_assume_role(username, host, role.name) then return end return role; end function create_grant(actor_jid, grant_jid, grant_ttl, grant_data) grant_jid = jid.prep(grant_jid); if not actor_jid or actor_jid ~= grant_jid and not jid.compare(grant_jid, actor_jid) then module:log("debug", "Actor <%s> is not permitted to create a token granting access to JID <%s>", actor_jid, grant_jid); return nil, "not-authorized"; end local grant_username, grant_host, grant_resource = jid.split(grant_jid); if grant_host ~= module.host then return nil, "invalid-host"; end local grant_id = id.short(); local now = os.time(); local grant = { id = grant_id; owner = actor_jid; created = now; expires = grant_ttl and (now + grant_ttl) or nil; accessed = now; jid = grant_jid; resource = grant_resource; data = grant_data; -- tokens[<hash-name>..":"..<secret>] = token_info tokens = {}; }; local ok, err = token_store:set_key(grant_username, grant_id, grant); if not ok then return nil, err; end module:fire_event("token-grant-created", { id = grant_id; grant = grant; username = grant_username; host = grant_host; }); return grant; end function create_token(grant_jid, grant, token_role, token_ttl, token_purpose, token_data) if (token_data and type(token_data) ~= "table") or (token_purpose and type(token_purpose) ~= "string") then return nil, "bad-request"; end local grant_username, grant_host = jid.split(grant_jid); if grant_host ~= module.host then return nil, "invalid-host"; end if type(grant) == "string" then -- lookup by id grant = token_store:get_key(grant_username, grant); if not grant then return nil; end end if not grant.tokens then return nil, "internal-server-error"; end -- old-style token? local now = os.time(); local expires = grant.expires; -- Default to same expiry as grant if token_ttl then -- explicit lifetime requested if expires then -- Grant has an expiry, so limit to that or shorter expires = math.min(now + token_ttl, expires); else -- Grant never expires, just use whatever expiry is requested for the token expires = now + token_ttl; end end local token_info = { role = token_role; created = now; expires = expires; purpose = token_purpose; data = token_data; }; local token_secret = random.bytes(18); grant.tokens["sha256:"..hashes.sha256(token_secret, true)] = token_info; local ok, err = token_store:set_key(grant_username, grant.id, grant); if not ok then return nil, err; end local token_string = "secret-token:"..base64.encode("2;"..grant.id..";"..token_secret..";"..grant.jid); return token_string, token_info; end local function parse_token(encoded_token) if not encoded_token then return nil; end local encoded_data = encoded_token:match("^secret%-token:(.+)$"); if not encoded_data then return nil; end local token = base64.decode(encoded_data); if not token then return nil; end local token_id, token_secret, token_jid = token:match("^2;([^;]+);(..................);(.+)$"); if not token_id then return nil; end local token_user, token_host = jid.split(token_jid); return token_id, token_user, token_host, token_secret; end local function clear_expired_grant_tokens(grant, now) local updated; now = now or os.time(); for secret, token_info in pairs(grant.tokens) do local expires = token_info.expires; if expires and expires < now then grant.tokens[secret] = nil; updated = true; end end return updated; end local function _get_validated_grant_info(username, grant) if type(grant) == "string" then grant = token_store:get_key(username, grant); end if not grant or not grant.created or not grant.id then return nil; end -- Invalidate grants from before last password change local account_info = usermanager.get_account_info(username, module.host); local password_updated_at = account_info and account_info.password_updated; local now = os.time(); if password_updated_at and grant.created < password_updated_at then module:log("debug", "Token grant %s of %s issued before last password change, invalidating it now", grant.id, username); token_store:set_key(username, grant.id, nil); return nil, "not-authorized"; elseif grant.expires and grant.expires < now then module:log("debug", "Token grant %s of %s expired, cleaning up", grant.id, username); token_store:set_key(username, grant.id, nil); return nil, "expired"; end if not grant.tokens then module:log("debug", "Token grant %s of %s without tokens, cleaning up", grant.id, username); token_store:set_key(username, grant.id, nil); return nil, "invalid"; end local found_expired = false for secret_hash, token_info in pairs(grant.tokens) do if token_info.expires and token_info.expires < now then module:log("debug", "Token %s of grant %s of %s has expired, cleaning it up", secret_hash:sub(-8), grant.id, username); grant.tokens[secret_hash] = nil; found_expired = true; end end if not grant.expires and next(grant.tokens) == nil and grant.accessed + empty_grant_lifetime < now then module:log("debug", "Token %s of %s grant has no tokens, discarding", grant.id, username); token_store:set_key(username, grant.id, nil); return nil, "expired"; elseif found_expired then token_store:set_key(username, grant.id, grant); end return grant; end local function _get_validated_token_info(token_id, token_user, token_host, token_secret) if token_host ~= module.host then return nil, "invalid-host"; end local grant, err = token_store:get_key(token_user, token_id); if not grant or not grant.tokens then if err then module:log("error", "Unable to read from token storage: %s", err); return nil, "internal-error"; end module:log("warn", "Invalid token in storage (%s / %s)", token_user, token_id); return nil, "not-authorized"; end -- Check provided secret local secret_hash = "sha256:"..hashes.sha256(token_secret, true); local token_info = grant.tokens[secret_hash]; if not token_info then module:log("debug", "No tokens matched the given secret"); return nil, "not-authorized"; end -- Check expiry local now = os.time(); if token_info.expires and token_info.expires < now then module:log("debug", "Token has expired, cleaning it up"); grant.tokens[secret_hash] = nil; token_store:set_key(token_user, token_id, grant); return nil, "not-authorized"; end -- Verify grant validity (expiry, etc.) grant = _get_validated_grant_info(token_user, grant); if not grant then return nil, "not-authorized"; end -- Update last access time if necessary local last_accessed = grant.accessed; if not last_accessed or (now - last_accessed) > access_time_granularity then grant.accessed = now; clear_expired_grant_tokens(grant); -- Clear expired tokens while we're here token_store:set_key(token_user, token_id, grant); end token_info.id = token_id; token_info.grant = grant; token_info.jid = grant.jid; return token_info; end function get_grant_info(username, grant_id) local grant = _get_validated_grant_info(username, grant_id); if not grant then return nil; end -- Caller is only interested in the grant, no need to expose token stuff to them grant.tokens = nil; return grant; end function get_user_grants(username) local grants = token_store:get(username); if not grants then return nil; end for grant_id, grant in pairs(grants) do grants[grant_id] = _get_validated_grant_info(username, grant); end return grants; end function get_token_info(token) local token_id, token_user, token_host, token_secret = parse_token(token); if not token_id then module:log("warn", "Failed to verify access token: %s", token_user); return nil, "invalid-token-format"; end return _get_validated_token_info(token_id, token_user, token_host, token_secret); end function get_token_session(token, resource) local token_id, token_user, token_host, token_secret = parse_token(token); if not token_id then module:log("warn", "Failed to verify access token: %s", token_user); return nil, "invalid-token-format"; end local token_info, err = _get_validated_token_info(token_id, token_user, token_host, token_secret); if not token_info then return nil, err; end local role = select_role(token_user, token_host, token_info.role); if not role then return nil, "not-authorized"; end return { username = token_user; host = token_host; resource = token_info.resource or resource or generate_identifier(); role = role; }; end function revoke_token(token) local grant_id, token_user, token_host, token_secret = parse_token(token); if not grant_id then module:log("warn", "Failed to verify access token: %s", token_user); return nil, "invalid-token-format"; end if token_host ~= module.host then return nil, "invalid-host"; end local grant, err = _get_validated_grant_info(token_user, grant_id); if not grant then return grant, err; end local secret_hash = "sha256:"..hashes.sha256(token_secret, true); local token_info = grant.tokens[secret_hash]; if not grant or not token_info then return nil, "item-not-found"; end grant.tokens[secret_hash] = nil; local ok, err = token_store:set_key(token_user, grant_id, grant); if not ok then return nil, err; end module:fire_event("token-revoked", { grant_id = grant_id; grant = grant; info = token_info; username = token_user; host = token_host; }); return true; end function revoke_grant(username, grant_id) local ok, err = token_store:set_key(username, grant_id, nil); if not ok then return nil, err; end module:fire_event("token-grant-revoked", { id = grant_id, username = username, host = module.host }); return true; end function sasl_handler(auth_provider, purpose, extra) return function (sasl, token, realm, _authzid) local token_info, err = get_token_info(token); if not token_info then module:log("debug", "SASL handler failed to verify token: %s", err); return nil, nil, extra; end local token_user, token_host, resource = jid.split(token_info.grant.jid); if realm ~= token_host or (purpose and token_info.purpose ~= purpose) then return nil, nil, extra; end if auth_provider.is_enabled and not auth_provider.is_enabled(token_user) then return true, false, token_info; end sasl.resource = resource; sasl.token_info = token_info; return token_user, true, token_info; end; end module:daily("clear expired grants", function() for username in token_store:items() do get_user_grants(username); -- clears out expired grants end end)
