annotate mod_auth_ha1/mod_auth_ha1.lua @ 5298:12f7d8b901e0

mod_audit: Support for adding location (GeoIP) to audit events This can be more privacy-friendly than logging full IP addresses, and also more informative to a user - IP addresses don't mean much to the average person, however if they see activity from outside their expected country, they can immediately identify suspicious activity. As with IPs, this field is configurable for deployments that would like to disable it. Location is also not logged when the geoip library is not available.
author Matthew Wild <mwild1@gmail.com>
date Sat, 01 Apr 2023 13:11:53 +0100
parents 31c4d92a81e5
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1472
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
1 -- Prosody IM
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
2 -- Copyright (C) 2014 Matthew Wild
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
3 --
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
4 -- This project is MIT/X11 licensed. Please see the
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
5 -- COPYING file in the source package for more information.
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
6 --
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
7
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
8 local usermanager = require "core.usermanager";
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
9 local new_sasl = require "util.sasl".new;
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
10
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
11 local nodeprep = require "util.encodings".stringprep.nodeprep;
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
12 local nameprep = require "util.encodings".stringprep.nameprep;
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
13 local md5 = require "util.hashes".md5;
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
14
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
15 local host = module.host;
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
16
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
17 local auth_filename = module:get_option_string("auth_ha1_file", "auth.txt");
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
18 local auth_data = {};
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
19
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
20 function reload_auth_data()
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
21 local f, err = io.open(auth_filename);
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
22 if not f then
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
23 module:log("error", "Failed to read from auth file: %s", err);
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
24 return;
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
25 end
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
26 auth_data = {};
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
27 local line_number, imported_count, not_authorized_count = 0, 0, 0;
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
28 for line in f:lines() do
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
29 line_number = line_number + 1;
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
30 local username, hash, realm, state = line:match("^([^:]+):(%x+):([^:]+):(.+)$");
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
31 if not username then
1473
31c4d92a81e5 mod_auth_ha1: Skip commented lines
Matthew Wild <mwild1@gmail.com>
parents: 1472
diff changeset
32 if line:sub(1,1) ~= "#" then
31c4d92a81e5 mod_auth_ha1: Skip commented lines
Matthew Wild <mwild1@gmail.com>
parents: 1472
diff changeset
33 module:log("error", "Unable to parse line %d of auth file, skipping", line_number);
31c4d92a81e5 mod_auth_ha1: Skip commented lines
Matthew Wild <mwild1@gmail.com>
parents: 1472
diff changeset
34 end
1472
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
35 else
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
36 username, realm = nodeprep(username), nameprep(realm);
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
37 if not username then
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
38 module:log("error", "Invalid username on line %d of auth file, skipping", line_number);
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
39 elseif not realm then
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
40 module:log("error", "Invalid hostname/realm on line %d of auth file, skipping", line_number);
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
41 elseif state ~= "authorized" then
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
42 not_authorized_count = not_authorized_count + 1;
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
43 elseif realm == host then
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
44 auth_data[username] = hash;
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
45 imported_count = imported_count + 1;
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
46 end
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
47 end
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
48 end
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
49 f:close();
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
50 module:log("debug", "Loaded %d accounts from auth file (%d authorized)", imported_count, imported_count-not_authorized_count);
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
51 end
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
52
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
53 function module.load()
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
54 reload_auth_data();
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
55 end
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
56
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
57 module:hook_global("config-reloaded", reload_auth_data);
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
58
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
59 -- define auth provider
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
60 local provider = {};
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
61
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
62 function provider.test_password(username, password)
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
63 module:log("debug", "test password for user %s at host %s, %s", username, host, password);
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
64
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
65 local test_hash = md5(username..":"..host..":"..password, true);
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
66
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
67 if test_hash == auth_data[username] then
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
68 return true;
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
69 else
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
70 return nil, "Auth failed. Invalid username or password.";
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
71 end
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
72 end
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
73
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
74 function provider.set_password(username, password)
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
75 return nil, "Changing passwords not supported";
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
76 end
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
77
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
78 function provider.user_exists(username)
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
79 if not auth_data[username] then
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
80 module:log("debug", "account not found for username '%s' at host '%s'", username, host);
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
81 return nil, "Auth failed. Invalid username";
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
82 end
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
83 return true;
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
84 end
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
85
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
86 function provider.create_user(username, password)
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
87 return nil, "User creation not supported";
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
88 end
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
89
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
90 function provider.delete_user(username)
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
91 return nil , "User deletion not supported";
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
92 end
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
93
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
94 function provider.get_sasl_handler()
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
95 return new_sasl(host, {
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
96 plain_test = function(sasl, username, password, realm)
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
97 return usermanager.test_password(username, realm, password), true;
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
98 end
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
99 });
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
100 end
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
101
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
102 module:provides("auth", provider);
d44926f39f00 mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
103