annotate mod_s2soutinjection/mod_s2soutinjection.lua @ 5448:9d542e86e19a

mod_http_oauth2: Allow requesting a subset of scopes on token refresh This enables clients to request access tokens with fewer permissions than the grant they were given, reducing impact of token leak. Clients could e.g. request access tokens with some privileges and immediately revoke them after use, or other strategies.
author Kim Alvefur <zash@zash.se>
date Thu, 11 May 2023 21:40:09 +0200
parents 4fb922aa0ace
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1089
4057f176be7b mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 local st = require"util.stanza";
4057f176be7b mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2 local new_outgoing = require"core.s2smanager".new_outgoing;
4057f176be7b mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3 local bounce_sendq = module:depends"s2s".route_to_new_session.bounce_sendq;
4932
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
4 local initialize_filters = require "util.filters".initialize;
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
5
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
6 local portmanager = require "core.portmanager";
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
7
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
8 local addclient = require "net.server".addclient;
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
9
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
10 module:depends("s2s");
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
11
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
12 local sessions = module:shared("sessions");
1089
4057f176be7b mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13
4057f176be7b mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14 local injected = module:get_option("s2s_connect_overrides");
4057f176be7b mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff changeset
15
4932
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
16 -- The proxy_listener handles connection while still connecting to the proxy,
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
17 -- then it hands them over to the normal listener (in mod_s2s)
5101
801ca82b6538 mod_s2soutinjection: Remove undefined global (thanks Damian)
Kim Alvefur <zash@zash.se>
parents: 5100
diff changeset
18 local proxy_listener = { default_port = nil, default_mode = "*a", default_interface = "*" };
4932
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
19
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
20 function proxy_listener.onconnect(conn)
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
21 local session = sessions[conn];
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
22
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
23 -- Now the real s2s listener can take over the connection.
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
24 local listener = portmanager.get_service("s2s").listener;
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
25
5100
e55d1f7a570a mod_s2soutinjection: Remove unused variables [luacheck]
Kim Alvefur <zash@zash.se>
parents: 4932
diff changeset
26 local log = session.log;
4932
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
27
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
28 local filter = initialize_filters(session);
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
29
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
30 session.version = 1;
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
31
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
32 session.sends2s = function (t)
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
33 log("debug", "sending (s2s over proxy): %s", (t.top_tag and t:top_tag()) or t:match("^[^>]*>?"));
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
34 if t.name then
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
35 t = filter("stanzas/out", t);
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
36 end
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
37 if t then
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
38 t = filter("bytes/out", tostring(t));
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
39 if t then
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
40 return conn:write(tostring(t));
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
41 end
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
42 end
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
43 end
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
44
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
45 session.open_stream = function ()
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
46 session.sends2s(st.stanza("stream:stream", {
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
47 xmlns='jabber:server', ["xmlns:db"]='jabber:server:dialback',
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
48 ["xmlns:stream"]='http://etherx.jabber.org/streams',
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
49 from=session.from_host, to=session.to_host, version='1.0', ["xml:lang"]='en'}):top_tag());
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
50 end
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
51
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
52 conn.setlistener(conn, listener);
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
53
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
54 listener.register_outgoing(conn, session);
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
55
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
56 listener.onconnect(conn);
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
57 end
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
58
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
59 function proxy_listener.register_outgoing(conn, session)
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
60 session.direction = "outgoing";
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
61 sessions[conn] = session;
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
62 end
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
63
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
64 function proxy_listener.ondisconnect(conn, err)
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
65 sessions[conn] = nil;
1089
4057f176be7b mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff changeset
66 end
4057f176be7b mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff changeset
67
4057f176be7b mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff changeset
68 module:hook("route/remote", function(event)
4057f176be7b mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff changeset
69 local from_host, to_host, stanza = event.from_host, event.to_host, event.stanza;
4057f176be7b mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff changeset
70 local inject = injected and injected[to_host];
4057f176be7b mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff changeset
71 if not inject then return end
5102
9eed88ac8ee8 mod_s2soutinjection: Use module logging API
Kim Alvefur <zash@zash.se>
parents: 5101
diff changeset
72 module:log("debug", "opening a new outgoing connection for this stanza");
1089
4057f176be7b mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff changeset
73 local host_session = new_outgoing(from_host, to_host);
4057f176be7b mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff changeset
74
4057f176be7b mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff changeset
75 -- Store in buffer
4057f176be7b mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff changeset
76 host_session.bounce_sendq = bounce_sendq;
4057f176be7b mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff changeset
77 host_session.sendq = { {tostring(stanza), stanza.attr.type ~= "error" and stanza.attr.type ~= "result" and st.reply(stanza)} };
5103
4fb922aa0ace mod_s2soutinjection: Use session logger where it makes sense
Kim Alvefur <zash@zash.se>
parents: 5102
diff changeset
78 host_session.log("debug", "stanza [%s] queued until connection complete", tostring(stanza.name));
1089
4057f176be7b mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff changeset
79
4932
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
80 local host, port = inject[1] or inject, tonumber(inject[2]) or 5269;
1089
4057f176be7b mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff changeset
81
4932
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
82 local conn = addclient(host, port, proxy_listener, "*a");
1089
4057f176be7b mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff changeset
83
4932
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
84 proxy_listener.register_outgoing(conn, host_session);
1089
4057f176be7b mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff changeset
85
4932
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
86 host_session.conn = conn;
f4a9e804c457 mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents: 4557
diff changeset
87 return true;
1089
4057f176be7b mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff changeset
88 end, -2);