annotate mod_component_roundrobin/mod_component_roundrobin.lua @ 3503:882180b459a0

mod_pubsub_post: Restructure authentication and authorization (BC) This deprecates the default "superuser" actor model and makes the default equivalent to the previous "request.id". A single actor and secret per node is supported because HTTP and WebHooks don't normally include any authorization identity. Allowing authentication bypass when no secret is given should be relatively safe when the actor is unprivileged, as will be unless explicitly configured otherwise.
author Kim Alvefur <zash@zash.se>
date Sat, 30 Mar 2019 21:16:13 +0100
parents 7dbde05b48a9
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
406
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
1 -- Prosody IM
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
2 -- Copyright (C) 2008-2010 Matthew Wild
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
3 -- Copyright (C) 2008-2010 Waqas Hussain
1343
7dbde05b48a9 all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 1257
diff changeset
4 --
406
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
5 -- This project is MIT/X11 licensed. Please see the
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
6 -- COPYING file in the source package for more information.
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
7 --
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
8
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
9 if module:get_host_type() ~= "component" then
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
10 error("Don't load mod_component manually, it should be for a component, please see http://prosody.im/doc/components", 0);
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
11 end
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
12
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
13 local hosts = _G.hosts;
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
14
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
15 local t_concat = table.concat;
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
16
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
17 local sha1 = require "util.hashes".sha1;
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
18 local st = require "util.stanza";
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
19
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
20 local log = module._log;
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
21
1255
3c35283b6780 mod_component_roundrobin: Make sessions a shared table, like mod_component
Kim Alvefur <zash@zash.se>
parents: 1254
diff changeset
22 local sessions = module:shared("sessions");
406
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
23
1254
b0136968bef1 mod_component_roundrobin: Make sure we don’t try to use destroyed sessions.
Waqas Hussain <waqas20@gmail.com>
parents: 1253
diff changeset
24 local last_session;
406
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
25 local function on_destroy(session, err)
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
26 if sessions[session] then
1254
b0136968bef1 mod_component_roundrobin: Make sure we don’t try to use destroyed sessions.
Waqas Hussain <waqas20@gmail.com>
parents: 1253
diff changeset
27 if last_session == session then last_session = nil; end
406
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
28 sessions[session] = nil;
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
29 session.on_destroy = nil;
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
30 end
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
31 end
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
32
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
33 local function handle_stanza(event)
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
34 local stanza = event.stanza;
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
35 if next(sessions) then
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
36 stanza.attr.xmlns = nil;
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
37 last_session = next(sessions, last_session) or next(sessions);
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
38 last_session.send(stanza);
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
39 else
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
40 log("warn", "Component not connected, bouncing error for: %s", stanza:top_tag());
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
41 if stanza.attr.type ~= "error" and stanza.attr.type ~= "result" then
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
42 event.origin.send(st.error_reply(stanza, "wait", "service-unavailable", "Component unavailable"));
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
43 end
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
44 end
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
45 return true;
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
46 end
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
47
1257
a02fbed74487 mod_component_roundrobin: Increase priority of stanza hooks above mod_component (thanks Julien)
Kim Alvefur <zash@zash.se>
parents: 1255
diff changeset
48 module:hook("iq/bare", handle_stanza, -0.5);
a02fbed74487 mod_component_roundrobin: Increase priority of stanza hooks above mod_component (thanks Julien)
Kim Alvefur <zash@zash.se>
parents: 1255
diff changeset
49 module:hook("message/bare", handle_stanza, -0.5);
a02fbed74487 mod_component_roundrobin: Increase priority of stanza hooks above mod_component (thanks Julien)
Kim Alvefur <zash@zash.se>
parents: 1255
diff changeset
50 module:hook("presence/bare", handle_stanza, -0.5);
a02fbed74487 mod_component_roundrobin: Increase priority of stanza hooks above mod_component (thanks Julien)
Kim Alvefur <zash@zash.se>
parents: 1255
diff changeset
51 module:hook("iq/full", handle_stanza, -0.5);
a02fbed74487 mod_component_roundrobin: Increase priority of stanza hooks above mod_component (thanks Julien)
Kim Alvefur <zash@zash.se>
parents: 1255
diff changeset
52 module:hook("message/full", handle_stanza, -0.5);
a02fbed74487 mod_component_roundrobin: Increase priority of stanza hooks above mod_component (thanks Julien)
Kim Alvefur <zash@zash.se>
parents: 1255
diff changeset
53 module:hook("presence/full", handle_stanza, -0.5);
a02fbed74487 mod_component_roundrobin: Increase priority of stanza hooks above mod_component (thanks Julien)
Kim Alvefur <zash@zash.se>
parents: 1255
diff changeset
54 module:hook("iq/host", handle_stanza, -0.5);
a02fbed74487 mod_component_roundrobin: Increase priority of stanza hooks above mod_component (thanks Julien)
Kim Alvefur <zash@zash.se>
parents: 1255
diff changeset
55 module:hook("message/host", handle_stanza, -0.5);
a02fbed74487 mod_component_roundrobin: Increase priority of stanza hooks above mod_component (thanks Julien)
Kim Alvefur <zash@zash.se>
parents: 1255
diff changeset
56 module:hook("presence/host", handle_stanza, -0.5);
406
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
57
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
58 --- Handle authentication attempts by components
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
59 function handle_component_auth(event)
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
60 local session, stanza = event.origin, event.stanza;
1343
7dbde05b48a9 all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 1257
diff changeset
61
1252
08e50d742392 mod_component_roundrobin: Fix handshake (Thanks Julien)
Kim Alvefur <zash@zash.se>
parents: 406
diff changeset
62 if session.type ~= "component_unauthed" then return; end
406
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
63 if sessions[session] then return; end
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
64
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
65 if (not session.host) or #stanza.tags > 0 then
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
66 (session.log or log)("warn", "Invalid component handshake for host: %s", session.host);
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
67 session:close("not-authorized");
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
68 return true;
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
69 end
1343
7dbde05b48a9 all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 1257
diff changeset
70
406
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
71 local secret = module:get_option("component_secret");
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
72 if not secret then
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
73 (session.log or log)("warn", "Component attempted to identify as %s, but component_secret is not set", session.host);
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
74 session:close("not-authorized");
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
75 return true;
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
76 end
1343
7dbde05b48a9 all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 1257
diff changeset
77
406
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
78 local supplied_token = t_concat(stanza);
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
79 local calculated_token = sha1(session.streamid..secret, true);
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
80 if supplied_token:lower() ~= calculated_token:lower() then
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
81 log("info", "Component authentication failed for %s", session.host);
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
82 session:close{ condition = "not-authorized", text = "Given token does not match calculated token" };
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
83 return true;
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
84 end
1343
7dbde05b48a9 all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 1257
diff changeset
85
406
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
86 -- Add session to sessions table
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
87 sessions[session] = true;
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
88 session.on_destroy = on_destroy;
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
89 session.component_validate_from = module:get_option_boolean("validate_from_addresses", true);
1253
19cf607111fb mod_component_roundrobin: Mark authenticated sessions as such
Kim Alvefur <zash@zash.se>
parents: 1252
diff changeset
90 session.type = "component";
406
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
91 log("info", "Component successfully authenticated: %s", session.host);
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
92 session.send(st.stanza("handshake"));
1343
7dbde05b48a9 all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 1257
diff changeset
93
406
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
94 return true;
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
95 end
a6d215c73c47 mod_component_roundrobin: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
96
1252
08e50d742392 mod_component_roundrobin: Fix handshake (Thanks Julien)
Kim Alvefur <zash@zash.se>
parents: 406
diff changeset
97 module:hook("stanza/jabber:component:accept:handshake", handle_component_auth, 10);