prosody-modules: mod_s2s_auth_samecert/mod_s2s_auth_samecert.lua annotate

annotate mod_s2s_auth_samecert/mod_s2s_auth_samecert.lua @ 5407:149634647b48

mod_http_oauth2: Don't issue client_secret when not using authentication This is pretty much only for implicit flow, which is considered insecure anyway, so this is of limited value. If we delete all the implicit flow code, this could be reverted.

author	Kim Alvefur <zash@zash.se>
date	Tue, 02 May 2023 16:39:32 +0200
parents	c9397cd5cfe6
children

rev	line source
2204 affccf479f89 mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection Kim Alvefur <zash@zash.se> parents: diff changeset	1 module:set_global()
affccf479f89 mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection Kim Alvefur <zash@zash.se> parents: diff changeset	2
affccf479f89 mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection Kim Alvefur <zash@zash.se> parents: diff changeset	3 local hosts = prosody.hosts;
affccf479f89 mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection Kim Alvefur <zash@zash.se> parents: diff changeset	4
affccf479f89 mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection Kim Alvefur <zash@zash.se> parents: diff changeset	5 module:hook("s2s-check-certificate", function(event)
affccf479f89 mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection Kim Alvefur <zash@zash.se> parents: diff changeset	6 local session, cert = event.session, event.cert;
4675 c9397cd5cfe6 mod_s2s_auth_samecert: Handle lack of provided client certificate Kim Alvefur <zash@zash.se> parents: 2234 diff changeset	7 if not cert or session.direction ~= "incoming" then return end
c9397cd5cfe6 mod_s2s_auth_samecert: Handle lack of provided client certificate Kim Alvefur <zash@zash.se> parents: 2234 diff changeset	8
2204 affccf479f89 mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection Kim Alvefur <zash@zash.se> parents: diff changeset	9 local outgoing = hosts[session.to_host].s2sout[session.from_host];
affccf479f89 mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection Kim Alvefur <zash@zash.se> parents: diff changeset	10 if outgoing and outgoing.type == "s2sout" and outgoing.secure and outgoing.conn:socket():getpeercertificate():pem() == cert:pem() then
2234 3024116d6093 mod_s2s_auth_samecert: Log which s2sout has a matching cert Kim Alvefur <zash@zash.se> parents: 2204 diff changeset	11 session.log("debug", "Certificate matches that of s2sout%s", tostring(outgoing):match("[a-f0-9]+$"));
2204 affccf479f89 mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection Kim Alvefur <zash@zash.se> parents: diff changeset	12 session.cert_identity_status = outgoing.cert_identity_status;
affccf479f89 mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection Kim Alvefur <zash@zash.se> parents: diff changeset	13 session.cert_chain_status = outgoing.cert_chain_status;
affccf479f89 mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection Kim Alvefur <zash@zash.se> parents: diff changeset	14 return true;
affccf479f89 mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection Kim Alvefur <zash@zash.se> parents: diff changeset	15 end
affccf479f89 mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection Kim Alvefur <zash@zash.se> parents: diff changeset	16 end, 1000);