annotate mod_sasl2_sm/mod_sasl2_sm.lua @ 5289:308024be6d6f

mod_authz_delegate: introduce module to "link" authorization of hosts See the readme :-). Motivation is allowing Snikket admins to change circle avatars via the web portal without bypassing Prosody access checks.
author Jonas Schäfer <jonas@wielicki.name>
date Wed, 29 Mar 2023 17:21:45 +0200
parents c92c87daa09e
children 92ce3859df63
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
1 local st = require "util.stanza";
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
2
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
3 local mod_smacks = module:depends("smacks");
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
4
5039
c0d243b27e64 mod_sasl2, mod_sasl_bind2, mod_sasl2_sm: Bump XEP-0388 namespace
Matthew Wild <mwild1@gmail.com>
parents: 5037
diff changeset
5 local xmlns_sasl2 = "urn:xmpp:sasl:2";
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
6 local xmlns_sm = "urn:xmpp:sm:3";
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
7
5094
c92c87daa09e mod_sasl2_sm: Add explicit dependency on mod_sasl2
Kim Alvefur <zash@zash.se>
parents: 5060
diff changeset
8 module:depends("sasl2");
c92c87daa09e mod_sasl2_sm: Add explicit dependency on mod_sasl2
Kim Alvefur <zash@zash.se>
parents: 5060
diff changeset
9
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
10 -- Advertise what we can do
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
11
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
12 module:hook("advertise-sasl-features", function (event)
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
13 local features = event.features;
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
14 features:tag("sm", { xmlns = xmlns_sm }):up();
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
15 end);
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
16
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
17 module:hook("advertise-bind-features", function (event)
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
18 local features = event.features;
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
19 features:tag("feature", { var = xmlns_sm }):up();
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
20 end);
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
21
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
22 module:hook_tag(xmlns_sasl2, "authenticate", function (session, auth)
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
23 -- Cache action for future processing (after auth success)
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
24 session.sasl2_sm_request = auth:child_with_ns(xmlns_sm);
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
25 end, 100);
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
26
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
27 -- SASL 2 integration (for resume)
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
28
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
29 module:hook("sasl2/c2s/success", function (event)
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
30 local session = event.session;
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
31 local sm_request = session.sasl2_sm_request;
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
32 if not sm_request then return; end
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
33 session.sasl2_sm_request = nil;
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
34 local sm_result;
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
35 if sm_request.name ~= "resume" then return; end
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
36
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
37 local resumed, err = mod_smacks.do_resume(session, sm_request);
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
38 if not resumed then
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
39 local h = err.context and err.context.h;
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
40 sm_result = st.stanza("failed", { xmlns = xmlns_sm, h = h and ("%d"):format(h) or nil })
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
41 :add_error(err);
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
42 else
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
43 event.session = resumed.session; -- Update to resumed session
5037
8a8100fff580 mod_sasl2_bind2, mod_sasl2_sm: Move sasl2_sm_success to session
Matthew Wild <mwild1@gmail.com>
parents: 5035
diff changeset
44 event.session.sasl2_sm_success = resumed; -- To be called after sending final SASL response
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
45 sm_result = st.stanza("resumed", { xmlns = xmlns_sm,
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
46 h = ("%d"):format(event.session.handled_stanza_count);
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
47 previd = resumed.id; });
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
48 end
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
49
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
50 if sm_result then
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
51 event.success:add_child(sm_result);
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
52 end
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
53 end, 110);
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
54
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
55 -- Bind 2 integration (for enable)
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
56
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
57 module:hook("advertise-bind-features", function (event)
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
58 event.features:tag("feature", { var = xmlns_sm }):up();
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
59 end);
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
60
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
61 module:hook("enable-bind-features", function (event)
5060
bc491065c221 mod_sasl2_bind2, mod_sasl2_sm: Remove bind2 <features/> wrapper element
Matthew Wild <mwild1@gmail.com>
parents: 5039
diff changeset
62 local sm_enable = event.request:get_child("enable", xmlns_sm);
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
63 if not sm_enable then return; end
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
64
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
65 local sm_result;
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
66 local enabled, err = mod_smacks.do_enable(event.session, sm_enable);
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
67 if not enabled then
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
68 sm_result = st.stanza("failed", { xmlns = xmlns_sm })
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
69 :add_error(err);
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
70 else
5037
8a8100fff580 mod_sasl2_bind2, mod_sasl2_sm: Move sasl2_sm_success to session
Matthew Wild <mwild1@gmail.com>
parents: 5035
diff changeset
71 event.session.sasl2_sm_success = enabled; -- To be called after sending final SASL response
5034
f7eaf73b8f30 mod_sasl2_sm: Fix typo
Matthew Wild <mwild1@gmail.com>
parents: 5030
diff changeset
72 sm_result = st.stanza("enabled", {
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
73 xmlns = xmlns_sm;
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
74 id = enabled.id;
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
75 resume = enabled.id and "1" or nil;
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
76 max = enabled.resume_max;
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
77 });
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
78 end
5035
baebe7452903 mod_sasl2_sm: Fix event field name
Matthew Wild <mwild1@gmail.com>
parents: 5034
diff changeset
79 event.result:add_child(sm_result);
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
80 end, 100);
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
81
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
82 -- Finish and/or clean up after SASL 2 completed
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
83
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
84 module:hook("sasl2/c2s/success", function (event)
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
85 -- The authenticate response has already been sent at this point
5037
8a8100fff580 mod_sasl2_bind2, mod_sasl2_sm: Move sasl2_sm_success to session
Matthew Wild <mwild1@gmail.com>
parents: 5035
diff changeset
86 local success = event.session.sasl2_sm_success;
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
87 if success then
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
88 success.finish(); -- Finish enable/resume and sync stanzas
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
89 end
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
90 end, -1100);
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
91
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
92 module:hook("sasl2/c2s/failure", function (event)
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
93 event.session.sasl2_sm_request = nil;
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
94 end);