Mercurial > prosody-modules
annotate mod_s2s_auth_samecert/mod_s2s_auth_samecert.lua @ 5425:3b30635d215c
mod_http_oauth2: Support granting zero role-scopes
It seems Very Bad that if you uncheck all roles on the consent page, you
get the default scopes, which seems the opposite of what you probably
intended. Currently, mod_tokenauth will do the same thing, so work is
needed there too to allow issuing tokens without roles.
A token without a role could be used for OIDC login, and not much else.
This seems like a valuable thing to support.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 07 May 2023 19:29:15 +0200 |
| parents | c9397cd5cfe6 |
| children |
| rev | line source |
|---|---|
|
2204
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 module:set_global() |
|
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 |
|
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 local hosts = prosody.hosts; |
|
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 |
|
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 module:hook("s2s-check-certificate", function(event) |
|
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 local session, cert = event.session, event.cert; |
|
4675
c9397cd5cfe6
mod_s2s_auth_samecert: Handle lack of provided client certificate
Kim Alvefur <zash@zash.se>
parents:
2234
diff
changeset
|
7 if not cert or session.direction ~= "incoming" then return end |
|
c9397cd5cfe6
mod_s2s_auth_samecert: Handle lack of provided client certificate
Kim Alvefur <zash@zash.se>
parents:
2234
diff
changeset
|
8 |
|
2204
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 local outgoing = hosts[session.to_host].s2sout[session.from_host]; |
|
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 if outgoing and outgoing.type == "s2sout" and outgoing.secure and outgoing.conn:socket():getpeercertificate():pem() == cert:pem() then |
|
2234
3024116d6093
mod_s2s_auth_samecert: Log which s2sout has a matching cert
Kim Alvefur <zash@zash.se>
parents:
2204
diff
changeset
|
11 session.log("debug", "Certificate matches that of s2sout%s", tostring(outgoing):match("[a-f0-9]+$")); |
|
2204
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 session.cert_identity_status = outgoing.cert_identity_status; |
|
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 session.cert_chain_status = outgoing.cert_chain_status; |
|
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 return true; |
|
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 end |
|
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 end, 1000); |