Mercurial > prosody-modules
annotate mod_srvinjection/mod_srvinjection.lua @ 5193:2bb29ece216b
mod_http_oauth2: Implement stateless dynamic client registration
Replaces previous explicit registration that required either the
additional module mod_adhoc_oauth2_client or manually editing the
database. That method was enough to have something to test with, but
would not probably not scale easily.
Dynamic client registration allows creating clients on the fly, which
may be even easier in theory.
In order to not allow basically unauthenticated writes to the database,
we implement a stateless model here.
per_host_key := HMAC(config -> oauth2_registration_key, hostname)
client_id := JWT { client metadata } signed with per_host_key
client_secret := HMAC(per_host_key, client_id)
This should ensure everything we need to know is part of the client_id,
allowing redirects etc to be validated, and the client_secret can be
validated with only the client_id and the per_host_key.
A nonce injected into the client_id JWT should ensure nobody can submit
the same client metadata and retrieve the same client_secret
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Fri, 03 Mar 2023 21:14:19 +0100 |
| parents | 47fb4f36dacd |
| children |
| rev | line source |
|---|---|
|
96
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
1 |
|
662
b3d130e4b3ae
mod_srvinjection: Use module:set_global()
Florian Zeitz <florob@babelmonkeys.de>
parents:
337
diff
changeset
|
2 module:set_global(); |
|
96
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
3 |
|
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
4 local adns = require "net.adns"; |
|
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
5 |
|
1248
69f7840923f5
mod_srvinjection: Make the map a shared table so that other plugins can use/modify it
daurnimator <quae@daurnimator.com>
parents:
662
diff
changeset
|
6 local map_config = module:get_option("srvinjection") or {}; |
|
69f7840923f5
mod_srvinjection: Make the map a shared table so that other plugins can use/modify it
daurnimator <quae@daurnimator.com>
parents:
662
diff
changeset
|
7 local map = module:shared "s2s_map" |
|
96
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
8 |
|
1248
69f7840923f5
mod_srvinjection: Make the map a shared table so that other plugins can use/modify it
daurnimator <quae@daurnimator.com>
parents:
662
diff
changeset
|
9 for host, mapping in pairs(map_config) do |
|
96
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
10 if type(mapping) == "table" and type(mapping[1]) == "string" and (type(mapping[2]) == "number") then |
|
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
11 local connecthost, connectport = mapping[1], mapping[2] or 5269; |
|
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
12 map[host] = {{ |
|
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
13 srv = { |
|
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
14 target = connecthost.."."; |
|
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
15 port = connectport; |
|
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
16 priority = 1; |
|
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
17 weight = 0; |
|
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
18 }; |
|
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
19 }}; |
|
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
20 else |
|
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
21 module:log("warn", "Ignoring invalid SRV injection for host '%s'", host); |
|
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
22 map[host] = nil; |
|
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
23 end |
|
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
24 end |
|
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
25 |
|
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
26 local original_lookup = adns.lookup; |
|
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
27 function adns.lookup(handler, qname, qtype, qclass) |
|
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
28 if qtype == "SRV" then |
|
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
29 local host = qname:match("^_xmpp%-server%._tcp%.(.*)%.$"); |
|
337
beb5073b866a
mod_srvinjection: Fix type in variable name.
Waqas Hussain <waqas20@gmail.com>
parents:
336
diff
changeset
|
30 local mapping = map[host] or map["*"]; |
|
96
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
31 if mapping then |
|
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
32 handler(mapping); |
|
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
33 return; |
|
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
34 end |
|
1592
47fb4f36dacd
Add support for IPv4 addresses in SRV injections
Ashley Ward <ashley.ward@surevine.com>
parents:
1325
diff
changeset
|
35 elseif qtype == "A" then |
|
47fb4f36dacd
Add support for IPv4 addresses in SRV injections
Ashley Ward <ashley.ward@surevine.com>
parents:
1325
diff
changeset
|
36 if (qname == "localhost." or qname == "127.0.0.1.") then |
|
47fb4f36dacd
Add support for IPv4 addresses in SRV injections
Ashley Ward <ashley.ward@surevine.com>
parents:
1325
diff
changeset
|
37 handler({{ a = "127.0.0.1" }}); |
|
47fb4f36dacd
Add support for IPv4 addresses in SRV injections
Ashley Ward <ashley.ward@surevine.com>
parents:
1325
diff
changeset
|
38 return; |
|
47fb4f36dacd
Add support for IPv4 addresses in SRV injections
Ashley Ward <ashley.ward@surevine.com>
parents:
1325
diff
changeset
|
39 end |
|
47fb4f36dacd
Add support for IPv4 addresses in SRV injections
Ashley Ward <ashley.ward@surevine.com>
parents:
1325
diff
changeset
|
40 local ip = qname:match("^(%d+.%d+.%d+.%d+).$"); |
|
47fb4f36dacd
Add support for IPv4 addresses in SRV injections
Ashley Ward <ashley.ward@surevine.com>
parents:
1325
diff
changeset
|
41 if ip then |
|
47fb4f36dacd
Add support for IPv4 addresses in SRV injections
Ashley Ward <ashley.ward@surevine.com>
parents:
1325
diff
changeset
|
42 handler({{ a = ip }}); |
|
47fb4f36dacd
Add support for IPv4 addresses in SRV injections
Ashley Ward <ashley.ward@surevine.com>
parents:
1325
diff
changeset
|
43 return; |
|
47fb4f36dacd
Add support for IPv4 addresses in SRV injections
Ashley Ward <ashley.ward@surevine.com>
parents:
1325
diff
changeset
|
44 end |
|
96
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
45 end |
|
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
46 return original_lookup(handler, qname, qtype, qclass); |
|
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
47 end |
|
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
48 |
|
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
49 function module.unload() |
|
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
50 adns.lookup = original_lookup; |
|
c1f4edf3bea7
mod_srvinjection: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
51 end |