Mercurial > prosody-modules
annotate mod_auth_cyrus/mod_auth_cyrus.lua @ 5401:c8d04ac200fc
mod_http_oauth2: Reject loopback URIs as client_uri
This really should be a proper website with info, https://localhost is
not good enough. Ideally we'd validate that it's got proper DNS and is
actually reachable, but triggering HTTP or even DNS lookups seems like
it would carry abuse potential that would best to avoid.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Tue, 02 May 2023 16:20:55 +0200 |
parents | b8366e31c829 |
children |
rev | line source |
---|---|
4710
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 -- Prosody IM |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 -- Copyright (C) 2008-2010 Matthew Wild |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 -- Copyright (C) 2008-2010 Waqas Hussain |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 -- |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 -- This project is MIT/X11 licensed. Please see the |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 -- COPYING file in the source package for more information. |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 -- |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 -- luacheck: ignore 212 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 local log = require "util.logger".init("auth_cyrus"); |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
11 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 local usermanager_user_exists = require "core.usermanager".user_exists; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 local cyrus_service_realm = module:get_option("cyrus_service_realm"); |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 local cyrus_service_name = module:get_option("cyrus_service_name"); |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 local cyrus_application_name = module:get_option("cyrus_application_name"); |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
17 local require_provisioning = module:get_option("cyrus_require_provisioning") or false; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
18 local host_fqdn = module:get_option("cyrus_server_fqdn"); |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
19 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
20 prosody.unlock_globals(); --FIXME: Figure out why this is needed and |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
21 -- why cyrussasl isn't caught by the sandbox |
4927
b8366e31c829
mod_auth_cyrus: Adjust module import to work with repo clone - Fix #1744
Kim Alvefur <zash@zash.se>
parents:
4710
diff
changeset
|
22 local cyrus_new = module:require "sasl_cyrus".new; |
4710
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
23 prosody.lock_globals(); |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
24 local new_sasl = function(realm) |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 return cyrus_new( |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 cyrus_service_realm or realm, |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 cyrus_service_name or "xmpp", |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 cyrus_application_name or "prosody", |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 host_fqdn |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
30 ); |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
31 end |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
32 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
33 do -- diagnostic |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
34 local list; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
35 for mechanism in pairs(new_sasl(module.host):mechanisms()) do |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
36 list = (not(list) and mechanism) or (list..", "..mechanism); |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
37 end |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
38 if not list then |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
39 module:log("error", "No Cyrus SASL mechanisms available"); |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
40 else |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
41 module:log("debug", "Available Cyrus SASL mechanisms: %s", list); |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
42 end |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
43 end |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
44 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
45 local host = module.host; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
46 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
47 -- define auth provider |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
48 local provider = {}; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
49 log("debug", "initializing default authentication provider for host '%s'", host); |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
50 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
51 function provider.test_password(username, password) |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
52 return nil, "Legacy auth not supported with Cyrus SASL."; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
53 end |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
54 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
55 function provider.get_password(username) |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
56 return nil, "Passwords unavailable for Cyrus SASL."; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
57 end |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
58 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
59 function provider.set_password(username, password) |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
60 return nil, "Passwords unavailable for Cyrus SASL."; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
61 end |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
62 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
63 function provider.user_exists(username) |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
64 if require_provisioning then |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
65 return usermanager_user_exists(username, host); |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
66 end |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
67 return true; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
68 end |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
69 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
70 function provider.create_user(username, password) |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
71 return nil, "Account creation/modification not available with Cyrus SASL."; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
72 end |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
73 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
74 function provider.get_sasl_handler() |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
75 local handler = new_sasl(host); |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
76 if require_provisioning then |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
77 function handler.require_provisioning(username) |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
78 return usermanager_user_exists(username, host); |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
79 end |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
80 end |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
81 return handler; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
82 end |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
83 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
84 module:provides("auth", provider); |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
85 |