Mercurial > prosody-modules
annotate mod_sasl2/mod_sasl2.lua @ 5193:2bb29ece216b
mod_http_oauth2: Implement stateless dynamic client registration
Replaces previous explicit registration that required either the
additional module mod_adhoc_oauth2_client or manually editing the
database. That method was enough to have something to test with, but
would not probably not scale easily.
Dynamic client registration allows creating clients on the fly, which
may be even easier in theory.
In order to not allow basically unauthenticated writes to the database,
we implement a stateless model here.
per_host_key := HMAC(config -> oauth2_registration_key, hostname)
client_id := JWT { client metadata } signed with per_host_key
client_secret := HMAC(per_host_key, client_id)
This should ensure everything we need to know is part of the client_id,
allowing redirects etc to be validated, and the client_secret can be
validated with only the client_id and the per_host_key.
A nonce injected into the client_id JWT should ensure nobody can submit
the same client metadata and retrieve the same client_secret
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Fri, 03 Mar 2023 21:14:19 +0100 |
parents | e9cf361982d5 |
children | 828e5e443613 |
rev | line source |
---|---|
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 -- Prosody IM |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 -- Copyright (C) 2019 Kim Alvefur |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 -- |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 -- This project is MIT/X11 licensed. Please see the |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 -- COPYING file in the source package for more information. |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 -- |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 -- XEP-0388: Extensible SASL Profile |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 -- |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 local st = require "util.stanza"; |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
11 local errors = require "util.error"; |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 local base64 = require "util.encodings".base64; |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 local jid_join = require "util.jid".join; |
5038
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
14 local set = require "util.set"; |
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler; |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
17 local sm_make_authenticated = require "core.sessionmanager".make_authenticated; |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
18 |
5039
c0d243b27e64
mod_sasl2, mod_sasl_bind2, mod_sasl2_sm: Bump XEP-0388 namespace
Matthew Wild <mwild1@gmail.com>
parents:
5038
diff
changeset
|
19 local xmlns_sasl2 = "urn:xmpp:sasl:2"; |
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
20 |
5088
e9cf361982d5
mod_sasl2: Honour (c2s_)require_encryption config option
Matthew Wild <mwild1@gmail.com>
parents:
5067
diff
changeset
|
21 local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", true)); |
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
22 local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false) |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
23 local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"}); |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
24 local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" }); |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 local host = module.host; |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 |
5038
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
28 local function tls_unique(self) |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
29 return self.userdata["tls-unique"]:ssl_peerfinished(); |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
30 end |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
31 |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
32 local function tls_exporter(conn) |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
33 if not conn.ssl_exportkeyingmaterial then return end |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
34 return conn:ssl_exportkeyingmaterial("EXPORTER-Channel-Binding", 32, ""); |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
35 end |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
36 |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
37 local function sasl_tls_exporter(self) |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
38 return tls_exporter(self.userdata["tls-exporter"]); |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
39 end |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
40 |
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
41 module:hook("stream-features", function(event) |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
42 local origin, features = event.origin, event.features; |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
43 local log = origin.log or module._log; |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
44 |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
45 if origin.type ~= "c2s_unauthed" then |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
46 log("debug", "Already authenticated"); |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
47 return |
5088
e9cf361982d5
mod_sasl2: Honour (c2s_)require_encryption config option
Matthew Wild <mwild1@gmail.com>
parents:
5067
diff
changeset
|
48 elseif secure_auth_only and not origin.secure then |
e9cf361982d5
mod_sasl2: Honour (c2s_)require_encryption config option
Matthew Wild <mwild1@gmail.com>
parents:
5067
diff
changeset
|
49 log("debug", "Not offering authentication on insecure connection"); |
e9cf361982d5
mod_sasl2: Honour (c2s_)require_encryption config option
Matthew Wild <mwild1@gmail.com>
parents:
5067
diff
changeset
|
50 return; |
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
51 end |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
52 |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
53 local sasl_handler = usermanager_get_sasl_handler(host, origin) |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
54 origin.sasl_handler = sasl_handler; |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
55 |
5038
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
56 local channel_bindings = set.new() |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
57 if origin.encrypted then |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
58 -- check whether LuaSec has the nifty binding to the function needed for tls-unique |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
59 -- FIXME: would be nice to have this check only once and not for every socket |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
60 if sasl_handler.add_cb_handler then |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
61 local info = origin.conn:ssl_info(); |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
62 if info and info.protocol == "TLSv1.3" then |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
63 log("debug", "Channel binding 'tls-unique' undefined in context of TLS 1.3"); |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
64 if tls_exporter(origin.conn) then |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
65 log("debug", "Channel binding 'tls-exporter' supported"); |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
66 sasl_handler:add_cb_handler("tls-exporter", sasl_tls_exporter); |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
67 channel_bindings:add("tls-exporter"); |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
68 end |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
69 elseif origin.conn.ssl_peerfinished and origin.conn:ssl_peerfinished() then |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
70 log("debug", "Channel binding 'tls-unique' supported"); |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
71 sasl_handler:add_cb_handler("tls-unique", tls_unique); |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
72 channel_bindings:add("tls-unique"); |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
73 else |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
74 log("debug", "Channel binding 'tls-unique' not supported (by LuaSec?)"); |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
75 end |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
76 sasl_handler["userdata"] = { |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
77 ["tls-unique"] = origin.conn; |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
78 ["tls-exporter"] = origin.conn; |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
79 }; |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
80 else |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
81 log("debug", "Channel binding not supported by SASL handler"); |
88980b2dd986
mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents:
5028
diff
changeset
|
82 end |
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
83 end |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
84 |
5039
c0d243b27e64
mod_sasl2, mod_sasl_bind2, mod_sasl2_sm: Bump XEP-0388 namespace
Matthew Wild <mwild1@gmail.com>
parents:
5038
diff
changeset
|
85 local mechanisms = st.stanza("authentication", { xmlns = xmlns_sasl2 }); |
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
86 |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
87 local available_mechanisms = sasl_handler:mechanisms() |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
88 for mechanism in pairs(available_mechanisms) do |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
89 if disabled_mechanisms:contains(mechanism) then |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
90 log("debug", "Not offering disabled mechanism %s", mechanism); |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
91 elseif not origin.secure and insecure_mechanisms:contains(mechanism) then |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
92 log("debug", "Not offering mechanism %s on insecure connection", mechanism); |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
93 else |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
94 log("debug", "Offering mechanism %s", mechanism); |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
95 mechanisms:text_tag("mechanism", mechanism); |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
96 end |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
97 end |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
98 |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
99 features:add_direct_child(mechanisms); |
5028
1f2d2bfd29dd
mod_sasl2: Add event for other modules to advertise inline features
Matthew Wild <mwild1@gmail.com>
parents:
5025
diff
changeset
|
100 |
5042
166fd192f39c
mod_sasl2: Move <inline/> into <authentication>
Matthew Wild <mwild1@gmail.com>
parents:
5041
diff
changeset
|
101 local inline = st.stanza("inline"); |
5067
54c6b4595f86
mod_sasl2: Forward stream attributes into sub-event
Matthew Wild <mwild1@gmail.com>
parents:
5063
diff
changeset
|
102 module:fire_event("advertise-sasl-features", { origin = origin, features = inline, stream = event.stream }); |
5042
166fd192f39c
mod_sasl2: Move <inline/> into <authentication>
Matthew Wild <mwild1@gmail.com>
parents:
5041
diff
changeset
|
103 mechanisms:add_direct_child(inline); |
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
104 end, 1); |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
105 |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
106 local function handle_status(session, status, ret, err_msg) |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
107 local err = nil; |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
108 if status == "error" then |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
109 ret, err = nil, ret; |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
110 if not errors.is_err(err) then |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
111 err = errors.new({ condition = err, text = err_msg }, { session = session }); |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
112 end |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
113 end |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
114 |
5018
ed2a9a4c4f01
mod_sasl2: Return status from event handlers
Matthew Wild <mwild1@gmail.com>
parents:
4796
diff
changeset
|
115 return module:fire_event("sasl2/"..session.base_type.."/"..status, { |
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
116 session = session, |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
117 message = ret; |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
118 error = err; |
5025
fd154db7c8fc
mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents:
5023
diff
changeset
|
119 error_text = err_msg; |
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
120 }); |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
121 end |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
122 |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
123 module:hook("sasl2/c2s/failure", function (event) |
5025
fd154db7c8fc
mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents:
5023
diff
changeset
|
124 local session, condition, text = event.session, event.message, event.error_text; |
fd154db7c8fc
mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents:
5023
diff
changeset
|
125 local failure = st.stanza("failure", { xmlns = xmlns_sasl2 }) |
5041
afa09e069afb
mod_sasl2: Fix missing namespace on failure condition (thanks tmolitor)
Matthew Wild <mwild1@gmail.com>
parents:
5039
diff
changeset
|
126 :tag(condition, { xmlns = "urn:ietf:params:xml:ns:xmpp-sasl" }):up(); |
5025
fd154db7c8fc
mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents:
5023
diff
changeset
|
127 if text then |
fd154db7c8fc
mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents:
5023
diff
changeset
|
128 failure:text_tag("text", text); |
fd154db7c8fc
mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents:
5023
diff
changeset
|
129 end |
fd154db7c8fc
mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents:
5023
diff
changeset
|
130 session.send(failure); |
fd154db7c8fc
mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents:
5023
diff
changeset
|
131 return true; |
fd154db7c8fc
mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents:
5023
diff
changeset
|
132 end); |
fd154db7c8fc
mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents:
5023
diff
changeset
|
133 |
fd154db7c8fc
mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents:
5023
diff
changeset
|
134 module:hook("sasl2/c2s/error", function (event) |
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
135 local session = event.session |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
136 session.send(st.stanza("failure", { xmlns = xmlns_sasl2 }) |
5025
fd154db7c8fc
mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents:
5023
diff
changeset
|
137 :tag(event.error and event.error.condition)); |
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
138 return true; |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
139 end); |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
140 |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
141 module:hook("sasl2/c2s/challenge", function (event) |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
142 local session = event.session; |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
143 session.send(st.stanza("challenge", { xmlns = xmlns_sasl2 }) |
5019
c83ce822f105
mod_sasl2: Fix <challenge> generation
Matthew Wild <mwild1@gmail.com>
parents:
5018
diff
changeset
|
144 :text(base64.encode(event.message))); |
5020
6a36dae4a88d
mod_sasl2: Return true to indicate challenge was handled successfully
Matthew Wild <mwild1@gmail.com>
parents:
5019
diff
changeset
|
145 return true; |
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
146 end); |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
147 |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
148 module:hook("sasl2/c2s/success", function (event) |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
149 local session = event.session |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
150 local ok, err = sm_make_authenticated(session, session.sasl_handler.username); |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
151 if not ok then |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
152 handle_status(session, "failure", err); |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
153 return true; |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
154 end |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
155 event.success = st.stanza("success", { xmlns = xmlns_sasl2 }); |
5023
90772a9c92a0
mod_sasl2: Include additional-data in SASL success response
Matthew Wild <mwild1@gmail.com>
parents:
5021
diff
changeset
|
156 if event.message then |
90772a9c92a0
mod_sasl2: Include additional-data in SASL success response
Matthew Wild <mwild1@gmail.com>
parents:
5021
diff
changeset
|
157 event.success:text_tag("additional-data", base64.encode(event.message)); |
90772a9c92a0
mod_sasl2: Include additional-data in SASL success response
Matthew Wild <mwild1@gmail.com>
parents:
5021
diff
changeset
|
158 end |
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
159 end, 1000); |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
160 |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
161 module:hook("sasl2/c2s/success", function (event) |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
162 local session = event.session |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
163 event.success:text_tag("authorization-identifier", jid_join(session.username, session.host, session.resource)); |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
164 session.send(event.success); |
5049
e89aad13a52a
mod_sasl2: Further break up success handling, into pre/post stream:features
Matthew Wild <mwild1@gmail.com>
parents:
5048
diff
changeset
|
165 end, -1000); |
e89aad13a52a
mod_sasl2: Further break up success handling, into pre/post stream:features
Matthew Wild <mwild1@gmail.com>
parents:
5048
diff
changeset
|
166 |
e89aad13a52a
mod_sasl2: Further break up success handling, into pre/post stream:features
Matthew Wild <mwild1@gmail.com>
parents:
5048
diff
changeset
|
167 module:hook("sasl2/c2s/success", function (event) |
e89aad13a52a
mod_sasl2: Further break up success handling, into pre/post stream:features
Matthew Wild <mwild1@gmail.com>
parents:
5048
diff
changeset
|
168 local session = event.session; |
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
169 local features = st.stanza("stream:features"); |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
170 module:fire_event("stream-features", { origin = session, features = features }); |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
171 session.send(features); |
5049
e89aad13a52a
mod_sasl2: Further break up success handling, into pre/post stream:features
Matthew Wild <mwild1@gmail.com>
parents:
5048
diff
changeset
|
172 end, -1500); |
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
173 |
5021
f62b091b1c81
mod_sasl2: Eventually return true from success handler
Matthew Wild <mwild1@gmail.com>
parents:
5020
diff
changeset
|
174 -- The gap here is to allow modules to do stuff to the stream after the stanza |
f62b091b1c81
mod_sasl2: Eventually return true from success handler
Matthew Wild <mwild1@gmail.com>
parents:
5020
diff
changeset
|
175 -- is sent, but before we proceed with anything else. This is expected to be |
f62b091b1c81
mod_sasl2: Eventually return true from success handler
Matthew Wild <mwild1@gmail.com>
parents:
5020
diff
changeset
|
176 -- a common pattern with SASL2, which allows atomic negotiation of a bunch of |
f62b091b1c81
mod_sasl2: Eventually return true from success handler
Matthew Wild <mwild1@gmail.com>
parents:
5020
diff
changeset
|
177 -- stream features. |
f62b091b1c81
mod_sasl2: Eventually return true from success handler
Matthew Wild <mwild1@gmail.com>
parents:
5020
diff
changeset
|
178 module:hook("sasl2/c2s/success", function (event) --luacheck: ignore 212/event |
5063
53145c6b6b0b
mod_sasl2: Clear sasl_handler on final success
Matthew Wild <mwild1@gmail.com>
parents:
5049
diff
changeset
|
179 event.session.sasl_handler = nil; |
5021
f62b091b1c81
mod_sasl2: Eventually return true from success handler
Matthew Wild <mwild1@gmail.com>
parents:
5020
diff
changeset
|
180 return true; |
f62b091b1c81
mod_sasl2: Eventually return true from success handler
Matthew Wild <mwild1@gmail.com>
parents:
5020
diff
changeset
|
181 end, -2000); |
f62b091b1c81
mod_sasl2: Eventually return true from success handler
Matthew Wild <mwild1@gmail.com>
parents:
5020
diff
changeset
|
182 |
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
183 local function process_cdata(session, cdata) |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
184 if cdata then |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
185 cdata = base64.decode(cdata); |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
186 if not cdata then |
5025
fd154db7c8fc
mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents:
5023
diff
changeset
|
187 return handle_status(session, "failure", "incorrect-encoding"); |
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
188 end |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
189 end |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
190 return handle_status(session, session.sasl_handler:process(cdata)); |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
191 end |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
192 |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
193 module:hook_tag(xmlns_sasl2, "authenticate", function (session, auth) |
5088
e9cf361982d5
mod_sasl2: Honour (c2s_)require_encryption config option
Matthew Wild <mwild1@gmail.com>
parents:
5067
diff
changeset
|
194 if secure_auth_only and not session.secure then |
e9cf361982d5
mod_sasl2: Honour (c2s_)require_encryption config option
Matthew Wild <mwild1@gmail.com>
parents:
5067
diff
changeset
|
195 return handle_status(session, "failure", "encryption-required"); |
e9cf361982d5
mod_sasl2: Honour (c2s_)require_encryption config option
Matthew Wild <mwild1@gmail.com>
parents:
5067
diff
changeset
|
196 end |
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
197 local sasl_handler = session.sasl_handler; |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
198 if not sasl_handler then |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
199 sasl_handler = usermanager_get_sasl_handler(host, session); |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
200 session.sasl_handler = sasl_handler; |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
201 end |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
202 local mechanism = assert(auth.attr.mechanism); |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
203 if not sasl_handler:select(mechanism) then |
5025
fd154db7c8fc
mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents:
5023
diff
changeset
|
204 return handle_status(session, "failure", "invalid-mechanism"); |
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
205 end |
5048
3697d19d5fd9
mod_sasl2: Store client id if provided
Matthew Wild <mwild1@gmail.com>
parents:
5044
diff
changeset
|
206 local user_agent = auth:get_child("user-agent"); |
3697d19d5fd9
mod_sasl2: Store client id if provided
Matthew Wild <mwild1@gmail.com>
parents:
5044
diff
changeset
|
207 if user_agent then |
3697d19d5fd9
mod_sasl2: Store client id if provided
Matthew Wild <mwild1@gmail.com>
parents:
5044
diff
changeset
|
208 session.client_id = user_agent.attr.id; |
3697d19d5fd9
mod_sasl2: Store client id if provided
Matthew Wild <mwild1@gmail.com>
parents:
5044
diff
changeset
|
209 end |
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
210 local initial = auth:get_child_text("initial-response"); |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
211 return process_cdata(session, initial); |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
212 end); |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
213 |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
214 module:hook_tag(xmlns_sasl2, "response", function (session, response) |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
215 local sasl_handler = session.sasl_handler; |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
216 if not sasl_handler or not sasl_handler.selected then |
5025
fd154db7c8fc
mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents:
5023
diff
changeset
|
217 return handle_status(session, "failure", "invalid-mechanism"); |
3905
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
218 end |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
219 return process_cdata(session, response:get_text()); |
5ae2e865eea0
mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
220 end); |