annotate mod_sasl2_sm/mod_sasl2_sm.lua @ 5298:12f7d8b901e0

mod_audit: Support for adding location (GeoIP) to audit events This can be more privacy-friendly than logging full IP addresses, and also more informative to a user - IP addresses don't mean much to the average person, however if they see activity from outside their expected country, they can immediately identify suspicious activity. As with IPs, this field is configurable for deployments that would like to disable it. Location is also not logged when the geoip library is not available.
author Matthew Wild <mwild1@gmail.com>
date Sat, 01 Apr 2023 13:11:53 +0100
parents c92c87daa09e
children 92ce3859df63
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
1 local st = require "util.stanza";
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
2
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
3 local mod_smacks = module:depends("smacks");
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
4
5039
c0d243b27e64 mod_sasl2, mod_sasl_bind2, mod_sasl2_sm: Bump XEP-0388 namespace
Matthew Wild <mwild1@gmail.com>
parents: 5037
diff changeset
5 local xmlns_sasl2 = "urn:xmpp:sasl:2";
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
6 local xmlns_sm = "urn:xmpp:sm:3";
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
7
5094
c92c87daa09e mod_sasl2_sm: Add explicit dependency on mod_sasl2
Kim Alvefur <zash@zash.se>
parents: 5060
diff changeset
8 module:depends("sasl2");
c92c87daa09e mod_sasl2_sm: Add explicit dependency on mod_sasl2
Kim Alvefur <zash@zash.se>
parents: 5060
diff changeset
9
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
10 -- Advertise what we can do
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
11
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
12 module:hook("advertise-sasl-features", function (event)
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
13 local features = event.features;
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
14 features:tag("sm", { xmlns = xmlns_sm }):up();
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
15 end);
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
16
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
17 module:hook("advertise-bind-features", function (event)
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
18 local features = event.features;
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
19 features:tag("feature", { var = xmlns_sm }):up();
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
20 end);
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
21
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
22 module:hook_tag(xmlns_sasl2, "authenticate", function (session, auth)
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
23 -- Cache action for future processing (after auth success)
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
24 session.sasl2_sm_request = auth:child_with_ns(xmlns_sm);
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
25 end, 100);
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
26
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
27 -- SASL 2 integration (for resume)
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
28
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
29 module:hook("sasl2/c2s/success", function (event)
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
30 local session = event.session;
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
31 local sm_request = session.sasl2_sm_request;
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
32 if not sm_request then return; end
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
33 session.sasl2_sm_request = nil;
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
34 local sm_result;
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
35 if sm_request.name ~= "resume" then return; end
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
36
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
37 local resumed, err = mod_smacks.do_resume(session, sm_request);
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
38 if not resumed then
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
39 local h = err.context and err.context.h;
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
40 sm_result = st.stanza("failed", { xmlns = xmlns_sm, h = h and ("%d"):format(h) or nil })
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
41 :add_error(err);
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
42 else
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
43 event.session = resumed.session; -- Update to resumed session
5037
8a8100fff580 mod_sasl2_bind2, mod_sasl2_sm: Move sasl2_sm_success to session
Matthew Wild <mwild1@gmail.com>
parents: 5035
diff changeset
44 event.session.sasl2_sm_success = resumed; -- To be called after sending final SASL response
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
45 sm_result = st.stanza("resumed", { xmlns = xmlns_sm,
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
46 h = ("%d"):format(event.session.handled_stanza_count);
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
47 previd = resumed.id; });
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
48 end
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
49
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
50 if sm_result then
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
51 event.success:add_child(sm_result);
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
52 end
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
53 end, 110);
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
54
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
55 -- Bind 2 integration (for enable)
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
56
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
57 module:hook("advertise-bind-features", function (event)
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
58 event.features:tag("feature", { var = xmlns_sm }):up();
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
59 end);
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
60
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
61 module:hook("enable-bind-features", function (event)
5060
bc491065c221 mod_sasl2_bind2, mod_sasl2_sm: Remove bind2 <features/> wrapper element
Matthew Wild <mwild1@gmail.com>
parents: 5039
diff changeset
62 local sm_enable = event.request:get_child("enable", xmlns_sm);
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
63 if not sm_enable then return; end
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
64
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
65 local sm_result;
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
66 local enabled, err = mod_smacks.do_enable(event.session, sm_enable);
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
67 if not enabled then
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
68 sm_result = st.stanza("failed", { xmlns = xmlns_sm })
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
69 :add_error(err);
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
70 else
5037
8a8100fff580 mod_sasl2_bind2, mod_sasl2_sm: Move sasl2_sm_success to session
Matthew Wild <mwild1@gmail.com>
parents: 5035
diff changeset
71 event.session.sasl2_sm_success = enabled; -- To be called after sending final SASL response
5034
f7eaf73b8f30 mod_sasl2_sm: Fix typo
Matthew Wild <mwild1@gmail.com>
parents: 5030
diff changeset
72 sm_result = st.stanza("enabled", {
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
73 xmlns = xmlns_sm;
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
74 id = enabled.id;
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
75 resume = enabled.id and "1" or nil;
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
76 max = enabled.resume_max;
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
77 });
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
78 end
5035
baebe7452903 mod_sasl2_sm: Fix event field name
Matthew Wild <mwild1@gmail.com>
parents: 5034
diff changeset
79 event.result:add_child(sm_result);
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
80 end, 100);
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
81
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
82 -- Finish and/or clean up after SASL 2 completed
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
83
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
84 module:hook("sasl2/c2s/success", function (event)
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
85 -- The authenticate response has already been sent at this point
5037
8a8100fff580 mod_sasl2_bind2, mod_sasl2_sm: Move sasl2_sm_success to session
Matthew Wild <mwild1@gmail.com>
parents: 5035
diff changeset
86 local success = event.session.sasl2_sm_success;
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
87 if success then
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
88 success.finish(); -- Finish enable/resume and sync stanzas
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
89 end
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
90 end, -1100);
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
91
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
92 module:hook("sasl2/c2s/failure", function (event)
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
93 event.session.sasl2_sm_request = nil;
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
94 end);