annotate mod_auth_cyrus/mod_auth_cyrus.lua @ 5401:c8d04ac200fc

mod_http_oauth2: Reject loopback URIs as client_uri This really should be a proper website with info, https://localhost is not good enough. Ideally we'd validate that it's got proper DNS and is actually reachable, but triggering HTTP or even DNS lookups seems like it would carry abuse potential that would best to avoid.
author Kim Alvefur <zash@zash.se>
date Tue, 02 May 2023 16:20:55 +0200
parents b8366e31c829
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
4710
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 -- Prosody IM
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2 -- Copyright (C) 2008-2010 Matthew Wild
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3 -- Copyright (C) 2008-2010 Waqas Hussain
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4 --
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5 -- This project is MIT/X11 licensed. Please see the
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6 -- COPYING file in the source package for more information.
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
7 --
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
8 -- luacheck: ignore 212
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10 local log = require "util.logger".init("auth_cyrus");
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
11
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
12 local usermanager_user_exists = require "core.usermanager".user_exists;
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14 local cyrus_service_realm = module:get_option("cyrus_service_realm");
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
15 local cyrus_service_name = module:get_option("cyrus_service_name");
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16 local cyrus_application_name = module:get_option("cyrus_application_name");
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
17 local require_provisioning = module:get_option("cyrus_require_provisioning") or false;
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18 local host_fqdn = module:get_option("cyrus_server_fqdn");
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
19
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
20 prosody.unlock_globals(); --FIXME: Figure out why this is needed and
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21 -- why cyrussasl isn't caught by the sandbox
4927
b8366e31c829 mod_auth_cyrus: Adjust module import to work with repo clone - Fix #1744
Kim Alvefur <zash@zash.se>
parents: 4710
diff changeset
22 local cyrus_new = module:require "sasl_cyrus".new;
4710
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
23 prosody.lock_globals();
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24 local new_sasl = function(realm)
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
25 return cyrus_new(
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 cyrus_service_realm or realm,
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27 cyrus_service_name or "xmpp",
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28 cyrus_application_name or "prosody",
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
29 host_fqdn
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
30 );
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
31 end
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
33 do -- diagnostic
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
34 local list;
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
35 for mechanism in pairs(new_sasl(module.host):mechanisms()) do
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
36 list = (not(list) and mechanism) or (list..", "..mechanism);
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
37 end
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
38 if not list then
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
39 module:log("error", "No Cyrus SASL mechanisms available");
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
40 else
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
41 module:log("debug", "Available Cyrus SASL mechanisms: %s", list);
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
42 end
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
43 end
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
44
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
45 local host = module.host;
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
46
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
47 -- define auth provider
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
48 local provider = {};
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
49 log("debug", "initializing default authentication provider for host '%s'", host);
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
50
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
51 function provider.test_password(username, password)
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
52 return nil, "Legacy auth not supported with Cyrus SASL.";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
53 end
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
54
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
55 function provider.get_password(username)
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
56 return nil, "Passwords unavailable for Cyrus SASL.";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
57 end
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
58
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
59 function provider.set_password(username, password)
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
60 return nil, "Passwords unavailable for Cyrus SASL.";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
61 end
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
62
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
63 function provider.user_exists(username)
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
64 if require_provisioning then
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
65 return usermanager_user_exists(username, host);
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
66 end
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
67 return true;
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
68 end
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
69
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
70 function provider.create_user(username, password)
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
71 return nil, "Account creation/modification not available with Cyrus SASL.";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
72 end
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
73
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
74 function provider.get_sasl_handler()
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
75 local handler = new_sasl(host);
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
76 if require_provisioning then
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
77 function handler.require_provisioning(username)
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
78 return usermanager_user_exists(username, host);
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
79 end
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
80 end
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
81 return handler;
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
82 end
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
83
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
84 module:provides("auth", provider);
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
85