annotate mod_s2s_auth_monkeysphere/mod_s2s_auth_monkeysphere.lua @ 5715:8488ebde5739

mod_http_oauth2: Skip consent screen if requested by client and same scopes already granted This follows the intent behind the OpenID Connect 'prompt' parameter when it does not include the 'consent' keyword, that is the client wishes to skip the consent screen. If the user has already granted the exact same scopes to the exact same client in the past, then one can assume that they may grant it again.
author Kim Alvefur <zash@zash.se>
date Tue, 14 Nov 2023 23:03:37 +0100
parents 8d1141025b43
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1413
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 module:set_global();
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3 local json = require"util.json";
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4 local json_encode, json_decode = json.encode, json.decode;
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5 local gettime = require"socket".gettime;
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6 local serialize = require"util.serialization".serialize;
3393
8d1141025b43 mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents: 2186
diff changeset
7 local async = require"util.async";
8d1141025b43 mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents: 2186
diff changeset
8 local http_request = require "net.http".request;
1413
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10 local msva_url = assert(os.getenv"MONKEYSPHERE_VALIDATION_AGENT_SOCKET",
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
11 "MONKEYSPHERE_VALIDATION_AGENT_SOCKET is unset, please set it").."/reviewcert";
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
12
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13 local function check_with_monkeysphere(event)
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14 local session, host, cert = event.session, event.host, event.cert;
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
15 local post_body = json_encode {
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16 peer = {
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
17 name = host;
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18 type = "peer";
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
19 };
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
20 context = "https";
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21 -- context = "xmpp"; -- Monkeysphere needs to be extended to understand this
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22 pkc = {
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
23 type = "x509pem";
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24 data = cert:pem();
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
25 };
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 }
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27 local req = {
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28 method = "POST";
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
29 headers = {
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
30 ["Content-Type"] = "application/json";
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
31 };
3393
8d1141025b43 mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents: 2186
diff changeset
32 body = post_body;
1413
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
33 };
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
34 session.log("debug", "Asking what Monkeysphere thinks about this certificate");
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
35 local starttime = gettime();
3393
8d1141025b43 mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents: 2186
diff changeset
36 local wait, done = async.waiter();
8d1141025b43 mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents: 2186
diff changeset
37 local body, code;
8d1141025b43 mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents: 2186
diff changeset
38 http_request(msva_url, req, function (_, _code)
8d1141025b43 mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents: 2186
diff changeset
39 body, code = body, _code;
8d1141025b43 mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents: 2186
diff changeset
40 done();
8d1141025b43 mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents: 2186
diff changeset
41 end);
8d1141025b43 mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents: 2186
diff changeset
42 wait();
1413
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
43 module:log("debug", "Request took %fs", gettime() - starttime);
3393
8d1141025b43 mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents: 2186
diff changeset
44 if code == 200 and body then
1413
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
45 body = json_decode(body);
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
46 if body then
3393
8d1141025b43 mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents: 2186
diff changeset
47 session.log(body.valid and "info" or "warn",
8d1141025b43 mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents: 2186
diff changeset
48 "Monkeysphere thinks the cert is %salid: %s", body.valid and "V" or "Inv", body.message);
1413
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
49 if body.valid then
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
50 session.cert_chain_status = "valid";
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
51 session.cert_identity_status = "valid";
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
52 return true;
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
53 end
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
54 end
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
55 else
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
56 module:log("warn", "Request failed: %s, %s", tostring(code), tostring(body));
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
57 module:log("debug", serialize(req));
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
58 end
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
59 end
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
60
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
61 module:hook("s2s-check-certificate", check_with_monkeysphere);